Get breaking news alerts via email

Click here to manage your alerts
FTC: Medical lab’s lax security led to data leak
First Published Aug 29 2013 12:17 pm • Last Updated Aug 29 2013 12:53 pm

WASHINGTON • The Federal Trade Commission on Thursday accused a small Atlanta-based medical lab that specializes in cancer detection of not doing enough to protect its patients’ online records, resulting in the leak of Social Security numbers and birth dates of more than 9,000 consumers.

The complaint against LabMD describes what many consumers fear: being forced to hand over personal information to a doctor’s office or hospital, not knowing how that data is handled or who has access to it, only to become vulnerable to identity theft. The allegations also raise questions about the federal government’s push for the health care industry to swap paper for electronic records to save money when doing so relies on cybersecurity investments by private companies.

Join the Discussion
Post a Comment

Reached by phone Thursday, LabMD founder Michael Daugherty said he objects to the allegations and plans to release a full statement later in the day.

Jessica Rich, director of the FTC’s bureau of consumer protection, said LabMD’s practices put consumers at serious risk of identity theft.

"The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users," she said in a statement.

More than half of doctors’ offices and 4 out of 5 hospitals have transitioned from paper to electronic medical records, according to the government. Moving to computerized records is the rare consensus issue in health care, enjoying support from across the political spectrum. Taxpayers have already contributed more than $14 billion to help speed the move through an incentive program that was part of the Obama administration’s economic stimulus package.

The hope was that going digital would make caring for patients safer and less costly by helping avoid medical mistakes and cutting down on duplicative tests. But concerns have also surfaced about patient privacy and vulnerability to fraud. And progress has been mixed in getting medical computers from different offices to talk to each other, the key to a seamlessly efficient system.

A pair of reports in 2011 by the Health and Human Services inspector general warned that the drive to connect hospitals and doctors electronically was being layered on top of a system that already has privacy problems. The administration said in response it would pursue stronger safeguards.

The formal complaint filed Thursday means that the allegations will be tried in a formal hearing before an administrative law judge. The FTC wants the judge to order LabMD to institute a comprehensive information security program with professional audits every two years for the next 20 years. The proposed order would also require LabMD to notify consumers whose information was compromised.

Daugherty has objected to these terms and has been fighting the FTC investigation for several years. He claims on his personal website that LabMD is a victim of theft by a cybersecurity firm that he says was trying to sell his company services. Daugherty says that when he refused, the stolen data was supplied to government regulators, who are using the leak to punish him as a small business owner and justify additional government regulation. Daugherty has written a book on the subject that he says will be published in September.

story continues below
story continues below

According to the FTC complaint, a LabMD spreadsheet with insurance billing data on more than 9,000 consumers was discovered on a public file-sharing network. The spreadsheet contained Social Security numbers, birth dates, insurance information and medical treatment codes. The FTC says California police later discovered that identity thieves had acquired personal data from at least 500 LabMD consumers.

In its complaint, the FTC said lax security controls at LabMD resulted in the leak of the spreadsheet. Regulators say the company did not maintain a "comprehensive data security program" or use "readily available measures" to identify common vulnerabilities. The company also did not adequately train employees or prevent unauthorized access, according to the FTC.

Copyright 2014 The Salt Lake Tribune. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Top Reader Comments Read All Comments Post a Comment
Click here to read all comments   Click here to post a comment

About Reader Comments

Reader comments on sltrib.com are the opinions of the writer, not The Salt Lake Tribune. We will delete comments containing obscenities, personal attacks and inappropriate or offensive remarks. Flagrant or repeat violators will be banned. If you see an objectionable comment, please alert us by clicking the arrow on the upper right side of the comment and selecting "Flag comment as inappropriate". If you've recently registered with Disqus or aren't seeing your comments immediately, you may need to verify your email address. To do so, visit disqus.com/account.
See more about comments here.
Staying Connected
Contests and Promotions
  • Search Obituaries
  • Place an Obituary

  • Search Cars
  • Search Homes
  • Search Jobs
  • Search Marketplace
  • Search Legal Notices

  • Other Services
  • Advertise With Us
  • Subscribe to the Newspaper
  • Access your e-Edition
  • Frequently Asked Questions
  • Contact a newsroom staff member
  • Access the Trib Archives
  • Privacy Policy
  • Missing your paper? Need to place your paper on vacation hold? For this and any other subscription related needs, click here or call 801.204.6100.