FTC Holds LabMD Liable for Negligent Information Security

The Federal Trade Commission issued an opinion today that continues the discussion of what reasonable data security practices are and should be when it found a medical laboratory’s practices violated federal law.

The case concerns a now-defunct medical testing laboratory, LabMD, Inc., a facility headquartered in Georgia that tested medical specimen samples from and sent test results to health care providers across the country. Labs like LabMD work with insurance companies, medical providers, and patients alike to do business.

According to the FTC’s August 2013 charges, the lab had “accumulated and maintains personal information for nearly one million consumers.” It charged the facility’s practices for protecting those consumers’ personal data and private medical information were inadequate and ultimately constituted violations of the Federal Trade Commission Act. The July 28, 2016, Order reverses a 2015 initial decision by an administrative law judge who dismissed the charges against LabMD.

In its unanimous opinion, the Commission identified the lax practices LabMD employed which it reasoned failed to adequately protect consumer information. It found LabMD’s policies and procedures did little to safeguard private information.

The Commission found LabMD’s practices caused substantial injury and also posed a high likelihood of significant future harm to consumers. According to the Commission, LabMD’s “failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users. LabMD then left it there, freely available, for 11 months, leading to the unauthorized disclosure of the information.” Even after the company began its winding down process in 2014, LabMD “continues to maintain the personal data of hundreds of thousands of people on its computer system.”

The FTC clearly articulated the expectation that LabMD was, by virtue of the fact that it was “entrusted with patients’ sensitive medical and financial information…obligated to put reasonable security systems in place to guard against the risk of unauthorized release of such information.”

It might seem obvious that companies who deal in sensitive medical patient information would have to safeguard that information. But what safeguards are required? What exactly is a reasonable data security practice? What is unreasonable?

The FTC’s opinion gives fairly specific guidance on what LabMD could have and should have done differently.

The Commission stated: “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”

The FTC’s specificity may be a strong signal about what the FTC and other regulatory bodies such as the Office of Health and Human Services (the agency that oversees compliance with the Health Insurance Portability and Accountability Act or “HIPAA”) see as the standard of care in protecting the confidentiality and integrity of consumer/patient data. Those standards may also make their way into the courts in other data breach cases, giving patients and other consumers clearer, wider grounds from which to demand relief when their personal and private information is not adequately safeguarded.

By Alexandra Tracy-Ramirez, HopkinsWay PLLC. | © HopkinsWay PLLC 2016. All rights reserved.

This entry was posted in Cyber Security, Negligence, Privacy. Bookmark the permalink.