The Federal Trade Commission has released a provisionally redacted public version of its complaint against LabMD (PHIprivacy.net’s coverage of LabMD linked here).
Intriguingly, the complaint cites another situation that appears to be unrelated to the “1718 file” incident:
In October 2012, the Sacramento, California Police Department found more than 35 Day Sheets and a small number of copied checks in the possession of individuals who pleaded no contest to state charges of identity theft. These Day Sheets include personal information, such as names and SSNs, of several hundred consumers in different states. Many of these consumers were not included in the P2P insurance aging file, and some of the information post-dates the P2P insurance aging file. A number of the SSNs in the Day Sheets are being, or have been, used by people with different names, which may indicate that the SSNs have been used by identity thieves.
The inclusion of this information may be used to demonstrate that the Limewire incident was not an isolated security failure and that LabMD likely had at least one other security incident. Inspection of the Appendix to the complaint reveals that the day sheets were dated between 2007 and March, 2009 (well after the “1718 File” P2P incident). I contacted LabMD for additional details on what appears to be a breach, but have not yet gotten a response.
Again, it’s not clear to me whether this latter incident should have been reported to HHS, as pre-HITECH, there was no obligation to notify HHS or individuals, although as HHS reminded me today, there was an obligation to mitigate any harm and to have a security incident response plan. But as of right now, we don’t even know when LabMD first learned of the data theft (if that’s what it was), so it’s hard to figure out which laws even applied on a federal level, much less a state level. If they first learned of it after September 23, 2009, then HITECH provisions should apply.
I’ll try to update this post if I can get more details.
Meanwhile, over on DataBreaches.net, I’ve posted the portion of the complaint that addresses LabMD’s alleged security failures, as it provides some guidance to businesses (and HIPAA-covered entities) about what practices may run you afoul of the FTC Act.