Skip to main content

FTC Complaint: Medical Testing Lab Exposed Personal Data of Thousands Over Peer-to-Peer Network

Written by Amy Malone

Just before the Labor Day holiday, the Federal Trade Commission issued a press release announcing its complaint against LabMD, Inc., a company that performs medical testing for consumers around the country.  The complaint alleges that the company did not take reasonable measures to protect the security of consumers’ personal data.   The Commission charges that by not taking such reasonable measures two incidents occurred which resulted in the exposure of personal information, including Social Security numbers and medical information.

The first incident described in the complaint is that the company’s billing information for over 9,000 customers was found on a peer-to-peer (P2P) network (for more information on P2P networks and risks, see our client alert here).  P2P software allows companies to easily share information with other users, but there is also the inherent risk that the information will be unintentionally shared.  The information disclosed in this incident included Social Security numbers, dates of birth, health insurance provider information, and standardized medical treatment codes.

The second incident includes the disclosure of names, Social Security numbers and bank account information of some 500 consumers to identity thieves.  The Commission alleges that the Sacramento, California Police department found LabMD documents in the possession of identity thieves.

The Commission alleges that, among other things, the company:

  • did not implement or maintain a comprehensive data security program to protect information;
  • did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information;
  • did not use adequate measures to prevent employees from assessing personal information not needed to perform their jobs;
  • did not adequately train employees on basic security practices; and
  • did not use readily available measures to prevent and detect unauthorized access to personal information.

LabMD asserts that the documents related to this complaint contain confidential information, so the Commission’s complaint will not be made public until the claims are resolved.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.