The Federal Trade Commission last week filed a complaint against an Atlanta-based medical testing laboratory for its mishandling of patient information for roughly 10,000 individuals in two separate incidents.
In the first incident, billing information for more than 9,000 consumers was found on a peer-to-peer file-sharing network, according to the complaint. The information--which included names, Social Security numbers, dates of birth, health insurance provider information and medical treatment codes--had been stored on a spreadsheet.
LabMD, according to Ars Technica, said the spreadsheet had been illegally downloaded from its computers in 2008.
In the second incident, personal information for "at least 500" individuals was found in the hands of identity thieves last year by the Sacramento, Calif. Police Department, according to the FTC.
LabMD, in a statement sent to Ars Technica, referred to the FTC's actions an "abuse of authority" and a "witch hung against private businesses." The company added that the FTC's actions were based partially on "the alleged actions of Internet trolls."
"The FTC has repeatedly overstepped its statutory authority under Section 5 of the Federal Trade Commission Act and the FTC does not have the authority to bring this enforcement action," LabMD said.
In a proposed order by the FTC within its complaint, the commission called on LabMD to implement a "comprehensive" security program, to be independently evaluated every two years for the next two decades. FTC also wants the company to notify any consumers who may have been impacted by the breach.
"The unauthorized exposure of consumers' personal data puts them at risk," Jessica Rich, director of the FTC's Bureau of Consumer Protection, said in a statement. "The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users."