The Federal Trade Commission recently filed a complaint against the Atlanta-based medical testing laboratory LabMD, claiming that the company failed to protect consumers' personal data, including their medical information.
According to the complaint, a LabMD spreadsheet containing 9,000 consumers' names, Social Security numbers, birthdates, health insurance information and medica treatment codes was found on a P2P file-sharing network.
In a separate incident, California's Sacramento Police Department found LabMD documents containing at least 500 consumers' names, Social Security numbers, and in some instances, bank account information, were found in the possession of identity thieves.
Among other things, the complaint alleges that LabMD "did not implement or maintain a comprehensive data security program to protect this information; did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information; did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs; did not adequately train employees on basic security practices; and did not use readily available measures to prevent and detect unauthorized access to personal information."
The complaint proposes that LabMD be required to implement a comprehensive information security program, and have that program evaluted every two years by an independent, certified security professional for the next 20 years.
"The unauthorized exposure of consumers' personal data puts them at risk," Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, said in a statement. "The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users."