FTC files data security complaint against LabMD
If your clients are focused on data security — and they should be — here’s a development they’ll want to know about. The FTC just filed an administrative complaint against Atlanta-based LabMD. The company does lab work for people across the country when their local doctors send in samples for testing. The primary allegation: that the company failed to reasonably protect the security of consumers’ personal data, including medical information.
The lawsuit recounts two separate incidents. First, the FTC says a LabMD spreadsheet with insurance billing information was found on a peer-to-peer (P2P) file-sharing network. The spreadsheet had names, Social Security numbers, dates of birth, and health insurance info for more than 9000 people. What’s more, the spreadsheet included standardized medical treatment codes.
P2P software is often used to share music, videos, and other stuff, but it comes with a substantial risk that sensitive documents can be inadvertently shared, too. And once a file is downloaded onto a P2P network, it’s Katie, bar the door. It can be shared across the network even if the original source of the file isn’t connected any more.
The FTC also alleges the Sacramento Police Department found LabMD documents in the possession of identity thieves. What was in the files? Names, Social Security numbers, and in some cases, bank account information for at least 500 people. According to the complaint, some of those SSNs are being used (or have been used) by more than one person with different names. That could be a possible indicator of ID theft.
Among other things, the complaint alleges that LabMD:
- Didn’t implement or maintain a comprehensive data security program to protect sensitive information;
- Didn’t use readily available measures to identify commonly known or reasonably foreseeable risks and vulnerabilities;
- Didn’t use adequate measures to prevent LabMD employees from accessing information not needed to perform their jobs;
- Didn’t train their people on basic security practices; and
- Didn’t use readily available measures to prevent and detect unauthorized access to personal data.
At this point, we’d usually suggest you read the complaint for details, but we can’t right now. In the course of the investigation, LabMD has broadly asserted that documents provided to the FTC contain confidential business information. So the complaint won’t be publicly available until those matters are resolved.
The case is pending before an Administrative Law Judge.