The FTC recently filed an administrative complaint against a medical lab, LabMD, for failing to take reasonable steps to protect the security of consumers’ personal data, including medical information. Per the FTC's press release, the FTC "issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The issuance of the administrative complaint marks the beginning of a proceeding in which the allegations will be tried in a formal hearing before an administrative law judge."
The suit specifically identifies two incidents: First, the FTC says a LabMD spreadsheet with insurance billing information (names, social security numbers, dates of birth, and health insurance info) was found on a peer-to-peer (P2P) file-sharing network. Such networks are often used to share music, videos, pictures, etc. Critically, once a file is downloaded onto a P2P network it can later be shared across the network even if the original source of the file is no longer connected. Next, the FTC alleges that the Sacramento Police Department found LabMD documents (that had names, social security numbers, and bank account information for at least 500 people) in the possession of identity thieves. According to the complaint, some of those SSNs are being used (or have been used) by more than one person with different names.
Based upon this, the FTC asserts that LabMD:
- Didn’t implement or maintain a comprehensive data security program to protect sensitive information
- Didn’t use readily available measures to identify commonly known or reasonably foreseeable risks and vulnerabilities
- Didn’t use adequate measures to prevent LabMD employees from accessing information not needed to perform their jobs
- Didn’t train their people on basic security practices
- Didn’t use readily available measures to prevent and detect unauthorized access to personal data
Interestingly, the actual complaint is not on the FTC website because LabMD has asserted that the documents provided to the FTC contain confidential business information. The FTC Press Release about the case can be found here: http://ftc.gov/opa/2013/08/labmd.shtm.