FTC Files Complaint Against Medical Testing Lab for Exposing Consumers' Personal Data
Time 2 Minute Read
Categories: Enforcement, Identity Theft, Information Security, Online Privacy, Security Breach

On August 29, 2013, the FTC announced that it had filed a complaint against LabMD, Inc. (“LabMD”) for failing to protect consumers’ personal data. According to the complaint, LabMD, which performs various laboratory tests for consumers, exposed the personal information of more than 9,000 consumers on a peer-to-peer (“P2P”) file-sharing network. Specifically, a LabMD spreadsheet that was found on the P2P network contained names, Social Security numbers, dates of birth, health insurance information and medical treatment codes. In another instance, identity thieves were able to obtain LabMD documents that contained the personal information of more than 500 consumers, including names, Social Security numbers and bank account information.

The FTC’s complaint alleges that LabMD:

  • failed to develop a comprehensive information security program;
  • neglected to identify common risks and vulnerabilities to the personal information;
  • didn’t utilize appropriate measures to limit access to personal information by its employees;
  • failed to conduct adequate security training for its employees; and
  • made insufficient attempts to prevent and detect unauthorized access to personal information.

In the press release accompanying the complaint, Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection, stressed the FTC’s commitment “to ensuring that firms who collect [personal] data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users.” Although the complaint has not been published (LabMD has claimed that it may contain confidential business information), it purportedly orders LabMD to develop and maintain a comprehensive information security program that will be evaluated on a biennial basis by a third-party certified security professional for the next 20 years. The complaint also requires LabMD to notify any consumers whose personal information was exposed to unauthorized individuals.

Read the FTC Business Center Blog post on the LabMD complaint.

Tags: Consumer Protection, Federal Trade Commission, Jessica Rich, Personally Identifiable Information, Social Security Number
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
Alabama Enacts App Store Accountability Act Requiring Age Verification

On February 5, 2026, Alabama Governor Kay Ivey signed Alabama House Bill 161, the App Store Accountability Act, establishing age categorization, age verification and parental consent requirements for mobile application marketplace providers operating in Alabama, effective January 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
CalPrivacy Reaches Settlement with Ford Motor Company Over CCPA Opt-Out Right Violations

On March 5, 2026, the California Privacy Protection Agency announced that the agency had reached a settlement with Ford Motor Company resolving an enforcement action against the company that alleged noncompliance with the California Consumer Privacy Act’s opt-out of sale/sharing rights.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page