WASHINGTON (Reuters) - The U.S. Federal Trade Commission said on Friday it had overruled an administrative judge’s dismissal of the commission’s data security case against cancer testing company LabMD.
In a statement, the FTC said its unanimous opinion, written by Chairwoman Edith Ramirez, concluded that the administrative judge had applied the wrong legal standard for unfairness.
“LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system,” Ramirez said.
In November, D. Michael Chappell, chief administrative law judge for the FTC, ruled that the agency failed to prove LabMD had harmed customers by mistakenly exposing a file of patient data on a filesharing network.
The agency had successfully brought such cases against dozens of companies, and the November ruling marked its first defeat.
The FTC alleged in 2013 that poor security practices at LabMD in 2008 had allowed a patient insurance file to spread through the Limewire peer-to-peer filesharing network, which was often used for downloading music.
Ramirez said in the opinion that LabMD had “failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”
Medical and other sensitive information of 9,300 consumers were exposed on a peer-to-peer network accessible by millions of users, the opinion said. “LabMD then left it there, freely available, for 11 months, leading to the unauthorized disclosure of the information,” it added.