From the no-surprise dept., this press release on an opinion by the FTC finding totally in their own favor:
Commission Finds LabMD Liable for Unfair Data Security Practices
Stating Company Failed to Protect Consumers’ Sensitive Medical and Personal InformationThe Federal Trade Commission today announced the issuance of an Opinion and Final Order reversing an Administrative Law Judge (ALJ) Initial Decision that had dismissed FTC charges against medical testing laboratory LabMD, Inc. In reversing the ALJ ruling, the Commission concludes that LabMD’s data security practices were unreasonable and constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.
The case concerns the alleged failure by Respondent LabMD, Inc., which operated as a clinical laboratory for physicians, to protect the sensitive personal information, including medical information, of consumers. Over the course of its operations between 2001 and 2014, LabMD collected sensitive personal information, including medical information, for over 750,000 patients.
As explained in its unanimous opinion, written by Chairwoman Edith Ramirez, the Commission concludes that the ALJ applied the wrong legal standard for unfairness and finds that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”
The Commission further finds in its opinion that “these failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users. LabMD then left it there, freely available, for 11 months, leading to the unauthorized disclosure of the information.”
Section 5 of the FTC Act authorizes the Commission to challenge “unfair or deceptive” acts or practices in or affecting commerce. Section 5(n) provides that an act or practice may be deemed unfair if it “causes or is likely to cause substantial injury to consumers” which is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition.
The Commission in its decision concludes that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n),” and that LabMD’s disclosure of a file containing this information for 9,300 consumers caused substantial injury. In addition, the Commission finds that LabMD’s security practices were “likely to cause substantial injury,” as they led to the exposure of sensitive information to millions of online P2P users, and because complaint counsel proved that the likelihood and magnitude of potential harm were both high. Complaint counsel’s expert witnesses identified a range of harms such as medical identity theft that can often result from the unauthorized disclosure of the types of sensitive personal information maintained by LabMD on its computer network.
Having found that LabMD violated the FTC Act, the Commission’s Final Order will ensure that LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program. It also requires LabMD to obtain periodic independent, third-party assessments regarding the implementation of the information security program, and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.
LabMD has 60 days after service of the Commission’s Opinion and Final Order to file a petition for review with a U.S. Court of Appeals.
The Commission vote to issue the opinion and order was 3-0.
In response to the opinion, LabMD CEO Michael Daugherty issued the following statement:
This is what I have long been waiting for. The last thing I am is surprised as I have danced with these devils for over 6 years now. The real story is in what the FTC is silent about. They have enabled felons, set up a shell company to funnel medical files (a felony), found no consumer harm, and mocked the Supreme Court’s Spokeo decision regarding the concrete requirement for actual harm. Only corrupt officials would throw this level of bureaucratic temper tantrum over my exercising my First Amendment rights. The FTC revels in their cruelty as they destroyed the medical facility of over 700,000 patients for their true lust: POWER; power not requiring due process, fair notice, or cybersecurity standards. Remember, they’re talking about 2007-2008.
Their own judge tossed all their evidence and now they waste taxpayer dollars to go to an Article III court relying on hearsay. I am so relieved to be away from their dirty, biased system and into an Article III court. Shame on every Commissioner. They have, without remorse, made a mockery of legal ethics, regulatory boundaries and HHS. Yet in their magical thinking they carry forward and I can’t wait. Villainy wears many masks, none more dangerous than the mask of virtue.