- As a result of LabMD, Inc. allegedly failing to reasonably protect the security of consumers’ personal data, including medical information, the Federal Trade Commission (FTC) filed a complaint this week. LabMD, a cancer detection facility, offers analysis and diagnosis of blood, urine, and tissue specimens for cancers, micro-organisms and tumor markers.
The FTC maintains that LabMD had exposed more than 9,000 patients’ data over a peer-to-peer (P2P) file-sharing network and failed to accomplish these items:
- Implement or maintain a comprehensive data security program to protect this information
- Use readily-available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information
- Did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs
- Did not adequately train employees on basic security practices
- Did not use readily available measures to prevent and detect unauthorized access to personal information
“The unauthorized exposure of consumers’ personal data puts them at risk,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users.”
LabMD responded to the FTC’s complaint by describing it as a “witch hunt” and said that the FTC’s action is a clear example of federal government overreach. LabMD made this statement, according to PHIPrivacy.net:
The Federal Trade Commission’s enforcement action against LabMD based, in part, on the alleged actions of Internet trolls, is yet another example of the FTC’s pattern of abusing its authority to engage in an ongoing witch hunt against private businesses. The allegations in the FTC’s complaint are just that: allegations. LabMD looks forward to vigorously fighting against the FTC’s overreach by seeking recourse through the available legal processes.
The FTC has repeatedly overstepped its statutory authority under Section 5 of the Federal Trade Commission Act and the FTC does not have the authority to bring this enforcement action.