WASHINGTON (Legal Newsline) — The Federal Trade Commission
(FTC) has announced an opinion and final order reversing an Administrative Law
Judge (ALJ) initial decision that dismissed FTC charges against LabMD Inc. The
reversal means LabMD’s data security practices were allegedly
unreasonable and constitute an unfair act violating the FTC Act.
The company had purportedly failed to protect the sensitive
personal information of consumers. The FTC charged, between 2001 and 2014,
LabMD collected medical information for more than 750,000 patients and did not
keep the information safe – applying unreasonable practices that lacked even basic
precautions to protect consumer information.
“Among other things, it failed to use an intrusion detection
system or file integrity monitoring; neglected to monitor traffic coming across
its firewalls, provided essentially no data security training to its employees, and never deleted any of the consumer data it had collected,” chairwoman Edith
Ramirez wrote in the FTC’s unanimous opinion.
The FTC concluded the company’s failures meant millions of users could authorize the sensitive information of 9,300 consumers
on a peer-to-peer network.
“LabMD then left it there, freely available, for 11 months,
leading to the unauthorized disclosure of the information,” the FTC said.