On November 13, an administrative law judge for the FTC dismissed an August 2013 administrative complaint alleging that diagnostic laboratory LabMD had "failed to provide reasonable and appropriate security for personal information on its computer networks." The FTC's complaint stemmed from two incidents: one in which a spreadsheet of patient insurance information was found on a peer-to-peer file sharing network, and another where the Sacramento Police Department found LabMD documents, including names, Social Security numbers, and bank account information, in the possession of identity thieves. After over two years of proceedings, the FTC's administrative law judge found that LabMD's conduct did not constitute an unfair trade practice because the FTC failed to show that the "limited exposure of the [data at issue] has resulted, or is likely to result, in any identity theft-related harm." The judge also found that there was insufficient evidence to establish a causal connection between the alleged gaps in LabMD's security practices and the exposure of the data. Nor was there sufficient evidence to demonstrate that consumers were harmed or likely to be harmed by the "limited" exposure of data. The decision appeared to turn on strength and reliability of FTC's evidence. Of particular concern to the judge was the fact that the FTC relied on information from a company that had a financial incentive to find the alleged data breaches and sell remediation services. As a result, the decision may prompt the FTC to closely examine the cases it chooses to pursue in the future.