Federal Trade Commission Files Privacy Complaint Against LabMD Over Unsecure Consumer Info

Protecting the personal information of consumers is a top priority for the Federal Trade Commission (FTC), and Atlanta-based medical testing laboratory LabMD failed on two separate occasions to adequately secure and protect that information, according to a complaint filed by the commission on Aug. 29. LabMD files containing sensitive consumer information were found on a peer-to-peer (P2P) file-sharing network and, in a separate incident, in the hands of identity thieves. All total, the complaint alleges that LabMD exposed the sensitive personal information of approximately 10,000 individuals between the two incidents. LabMD conducts tests on consumer samples collected by physicians and sent to the laboratory. It performs tests on consumers from all over the United States. The FTC complaint alleges that “LabMD failed to take reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer data—including health information.” The file found on the P2P network, a spreadsheet, contained names, Social Security numbers, dates of birth, health insurance information, and treatment codes for over 9,000 consumers. The complaint alleges that the Sacramento, Calif., police department found LabMD documents in the hands of identity thieves in a 2012 case. These files included the same information as the others with the addition of bank account information for some of the individuals. Some of the Social Security numbers have been used by more than one person with different names, a sure sign of identity theft. “The Commission issues an administrative complaint when it has ‘reason to believe’ that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest,” said the FTC. “The issuance of the administrative complaint marks the beginning of a proceeding in which the allegations will be tried in a formal hearing before an administrative law judge.” The complaint includes a proposed order against LabMD that would require it to implement a comprehensive security program, something the company should have already done under the Health Insurance Portability and Accountability Act (HIPAA), and have that program evaluated every two years for the next 20 years. The order will require LabMD to notify all of the consumers involved in the two incidents and any others whose information LabMD has reason to believe may have been compromised. LabMD denies that it has engaged in conduct that violates Section 5 of the FTC Act in a September 17 response to the FTC complaint and asserts that the agency does not have the statutory authority to regulate the acts or practices alleged in the complaint. In its response, LabMD requests that the Administrative Law Judge deny the commission’s requested relief and dismiss the compliant in its entirety with prejudice. Takeaway: Allegations by the Federal Trade Commission that a laboratory exposed consumer info underscores the need for all health care providers to ensure they are meeting HIPAA privacy and security requirements.