FTC overrules dismissal of data-security enforcement against LabMD

FTC logo

The Federal Trade Commission has announced it will overrule an administrative judge’s dismissal of the FTC’s data security enforcement case against Atlanta-based cancer screening laboratory LabMD, Reuters reports.

D. Michael Chappell, chief administrative law judge for the FTC, dismissed the case in November, stating the federal agency failed to prove that LabMD’s actions had harmed consumers. The FTC almost immediately filed an appeal of the judge’s ruling.

The commission, however, unanimously voted that the judge applied the wrong legal standard in the case, according to an announcement.

The FTC alleged that in 2008, LabMD exposed a file of patient data on the Limewire peer-to-peer file-sharing network. It said information on 9,300 consumers was left on the network for 11 months.

"LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system," Chairwoman Edith Ramirez wrote in the panel’s opinion.

It alleged that LabMD failed to use intrusion detection or another monitoring system and failed to train employees on data-security practices.

Ramirez pointed to Section 5 of the FTC Act, which authorizes the agency to challenge unfair or deceptive acts, and states that an act can be unfair if it “causes or is likely to cause substantial injury to consumers.”

The panel determined that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n).”

Mike Daugherty, president and CEO of LabMD, maintains that the FTC has overstepped its authority in prosecuting cybersecurity cases and is taking a punitive stance rather than helping the healthcare industry improve. It can still petition the U.S. Court of Appeals for review of the case.

To learn more:
- read the article
- check out the announcement