FTC: Medical lab's lax security led to data leak
WASHINGTON • The Federal Trade Commission on Thursday accused a small Atlanta-based medical lab that specializes in cancer detection of not doing enough to protect its patients' online records, resulting in the leak of Social Security numbers and birth dates of more than 9,000 consumers.
The complaint against LabMD describes what many consumers fear: being forced to hand over personal information to a doctor's office or hospital, not knowing how that data is handled or who has access to it, only to become vulnerable to identity theft. The allegations also raise questions about the federal government's push for the health care industry to swap paper for electronic records to save money when doing so relies on cybersecurity investments by private companies.
Reached by phone Thursday, LabMD founder Michael Daugherty said he objects to the allegations and plans to release a full statement later in the day.
Jessica Rich, director of the FTC's bureau of consumer protection, said LabMD's practices put consumers at serious risk of identity theft.
"The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users," she said in a statement.
More than half of doctors' offices and 4 out of 5 hospitals have transitioned from paper to electronic medical records, according to the government. Moving to computerized records is the rare consensus issue in health care, enjoying support from across the political spectrum. Taxpayers have already contributed more than $14 billion to help speed the move through an incentive program that was part of the Obama administration's economic stimulus package.
The hope was that going digital would make caring for patients safer and less costly by helping avoid medical mistakes and cutting down on duplicative tests. But concerns have also surfaced about patient privacy and vulnerability to fraud. And progress has been mixed in getting medical computers from different offices to talk to each other, the key to a seamlessly efficient system.
A pair of reports in 2011 by the Health and Human Services inspector general warned that the drive to connect hospitals and doctors electronically was being layered on top of a system that already has privacy problems. The administration said in response it would pursue stronger safeguards.
The formal complaint filed Thursday means that the allegations will be tried in a formal hearing before an administrative law judge. The FTC wants the judge to order LabMD to institute a comprehensive information security program with professional audits every two years for the next 20 years. The proposed order would also require LabMD to notify consumers whose information was compromised.
Daugherty has objected to these terms and has been fighting the FTC investigation for several years. He claims on his personal website that LabMD is a victim of theft by a cybersecurity firm that he says was trying to sell his company services. Daugherty says that when he refused, the stolen data was supplied to government regulators, who are using the leak to punish him as a small business owner and justify additional government regulation. Daugherty has written a book on the subject that he says will be published in September.
According to the FTC complaint, a LabMD spreadsheet with insurance billing data on more than 9,000 consumers was discovered on a public file-sharing network. The spreadsheet contained Social Security numbers, birth dates, insurance information and medical treatment codes. The FTC says California police later discovered that identity thieves had acquired personal data from at least 500 LabMD consumers.
In its complaint, the FTC said lax security controls at LabMD resulted in the leak of the spreadsheet. Regulators say the company did not maintain a "comprehensive data security program" or use "readily available measures" to identify common vulnerabilities. The company also did not adequately train employees or prevent unauthorized access, according to the FTC.