In a complaint filed last month, the Federal Trade Commission alleged that medical testing laboratory LabMD left nearly 10,000 patients’ medical and personal information vulnerable to theft in at least two major incidents. The complaint claims LabMD failed to take “reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer data – including health information – it held”. But the Georgia-based company denies any culpability.
In 2009, the FTC began investigating a breach of personal information for more than 9,000 LabMD patients – including their names, Social Security numbers, birth dates, health insurance information, and medical diagnoses. The agency reportedly found a spreadsheet containing the patients’ information on a publicly accessible peer-to-peer (P2P) file-sharing network.
While P2P software is often used for music and video file sharing, it can also create a significant security risk. The software allows users to share files with other users but also increases the risk that files containing sensitive data will be shared unintentionally. Once the data is shared on the network, any user can continue to share the data with other users across the network even if the source of the original file is no longer connected. The FTC says misuse of this type of information threatened the victims’ identity and medical information confidentiality. But, according to the FTC, this wasn’t LabMD’s only mistake.
In 2012, California police found LabMD documents in the possession of confirmed identity thieves. In fact, several of the Social Security numbers contained in those documents had been used by more than one person with different names, an indicator of identity theft according to the FTC.
To prevent future breaches and privacy violations, the complaint offered a proposed order that would require LabMD to implement a comprehensive information security program. In turn, the program would be audited by an independent security professional every two years for the next 20 years. Plus, LabMD would have to notify any consumers whose data may have been exposed in the breaches.
LabMD responded to the complaint, describing it as “witch hunt” “based, in part, on the alleged actions of Internet trolls.” In an official press release, LabMD says it “looks forward to vigorously fighting against the FTC’s overreach by seeking recourse through the available legal processes.” Beyond formal press statements, LabMD’s founder has taken up the cause with his own speaking tour and new book providing his insight into the government-funded surveillance program that allegedly uncovered the P2P-shared data.
Given LabMD’s resolve to challenge the investigation, this case will be worth watching. Never underestimate the power of the “Kill the Messenger” strategy.