DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

FTC reverses ALJ in LabMD case, finds for itself

Posted on July 29, 2016 by Dissent

From the no-surprise dept., this press release on an opinion by the FTC finding totally in their own favor:

Commission Finds LabMD Liable for Unfair Data Security Practices
Stating Company Failed to Protect Consumers’ Sensitive Medical and Personal Information

The Federal Trade Commission today announced the issuance of an Opinion and Final Order reversing an Administrative Law Judge (ALJ) Initial Decision that had dismissed FTC charges against medical testing laboratory LabMD, Inc. In reversing the ALJ ruling, the Commission concludes that LabMD’s data security practices were unreasonable and constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.

The case concerns the alleged failure by Respondent LabMD, Inc., which operated as a clinical laboratory for physicians, to protect the sensitive personal information, including medical information, of consumers. Over the course of its operations between 2001 and 2014, LabMD collected sensitive personal information, including medical information, for over 750,000 patients.

As explained in its unanimous opinion, written by Chairwoman Edith Ramirez, the Commission concludes that the ALJ applied the wrong legal standard for unfairness and finds that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”

The Commission further finds in its opinion that “these failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users. LabMD then left it there, freely available, for 11 months, leading to the unauthorized disclosure of the information.”

Section 5 of the FTC Act authorizes the Commission to challenge “unfair or deceptive” acts or practices in or affecting commerce. Section 5(n) provides that an act or practice may be deemed unfair if it “causes or is likely to cause substantial injury to consumers” which is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition.

The Commission in its decision concludes that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n),” and that LabMD’s disclosure of a file containing this information for 9,300 consumers caused substantial injury. In addition, the Commission finds that LabMD’s security practices were “likely to cause substantial injury,” as they led to the exposure of sensitive information to millions of online P2P users, and because complaint counsel proved that the likelihood and magnitude of potential harm were both high. Complaint counsel’s expert witnesses identified a range of harms such as medical identity theft that can often result from the unauthorized disclosure of the types of sensitive personal information maintained by LabMD on its computer network.

Having found that LabMD violated the FTC Act, the Commission’s Final Order will ensure that LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program. It also requires LabMD to obtain periodic independent, third-party assessments regarding the implementation of the information security program, and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.

LabMD has 60 days after service of the Commission’s Opinion and Final Order to file a petition for review with a U.S. Court of Appeals.

The Commission vote to issue the opinion and order was 3-0.

 

In response to the opinion, LabMD CEO Michael Daugherty issued the following statement:

This is what I have long been waiting for. The last thing I am is surprised as I have danced with these devils for over 6 years now. The real story is in what the FTC is silent about. They have enabled felons, set up a shell company to funnel medical files (a felony), found no consumer harm, and mocked the Supreme Court’s Spokeo decision regarding the concrete requirement for actual harm. Only corrupt officials would throw this level of bureaucratic temper tantrum over my exercising my First Amendment rights. The FTC revels in their cruelty as they destroyed the medical facility of over 700,000 patients for their true lust: POWER; power not requiring due process, fair notice, or cybersecurity standards. Remember, they’re talking about 2007-2008.

Their own judge tossed all their evidence and now they waste taxpayer dollars to go to an Article III court relying on hearsay. I am so relieved to be away from their dirty, biased system and into an Article III court. Shame on every Commissioner. They have, without remorse, made a mockery of legal ethics, regulatory boundaries and HHS. Yet in their magical thinking they carry forward and I can’t wait. Villainy wears many masks, none more dangerous than the mask of virtue.

Related posts:

  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
  • FTC Says Genetic Testing Company 1Health Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy
Category: Health DataOf NoteU.S.

Post navigation

← MN: Wadena computers infected with virus
Another Bizmatics client notifies patients of breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked
  • Hunters International to provide free decryptors for all victims as they shut down (2)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.