The Federal Trade Commission today announced the issuance of an Opinion and Final Order reversing an Administrative Law Judge (ALJ) Initial Decision that had dismissed FTC charges against medical testing laboratory LabMD, Inc. In reversing the ALJ ruling, the Commission concludes that LabMD’s data security practices were unreasonable and constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.
The case concerns the alleged failure by Respondent LabMD, Inc., which operated as a clinical laboratory for physicians, to protect the sensitive personal information, including medical information, of consumers. Over the course of its operations between 2001 and 2014, LabMD collected sensitive personal information, including medical information, for over 750,000 patients.
As explained in its unanimous opinion, written by Chairwoman Edith Ramirez, the Commission concludes that the ALJ applied the wrong legal standard for unfairness and finds that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”
The Commission further finds in its opinion that “these failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users. LabMD then left it there, freely available, for 11 months, leading to the unauthorized disclosure of the information.”
Section 5 of the FTC Act authorizes the Commission to challenge “unfair or deceptive” acts or practices in or affecting commerce. Section 5(n) provides that an act or practice may be deemed unfair if it “causes or is likely to cause substantial injury to consumers” which is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition.
The Commission in its decision concludes that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n),” and that LabMD’s disclosure of a file containing this information for 9,300 consumers caused substantial injury. In addition, the Commission finds that LabMD’s security practices were “likely to cause substantial injury,” as they led to the exposure of sensitive information to millions of online P2P users, and because complaint counsel proved that the likelihood and magnitude of potential harm were both high. Complaint counsel’s expert witnesses identified a range of harms such as medical identity theft that can often result from the unauthorized disclosure of the types of sensitive personal information maintained by LabMD on its computer network.
Having found that LabMD violated the FTC Act, the Commission’s Final Order will ensure that LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program. It also requires LabMD to obtain periodic independent, third-party assessments regarding the implementation of the information security program, and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.
LabMD has 60 days after service of the Commission’s Opinion and Final Order to file a petition for review with a U.S. Court of Appeals.
The Commission vote to issue the opinion and order was 3-0.