Skip to Main Content
Services Talent Knowledge
Site Search


Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

August 1, 2016

FTC Reinstates Data Breach Action Against LabMD, Orders Remedial Measures

The commissioners of the Federal Trade Commission (FTC), the lead agency in enforcement of consumer privacy and data security, revived a data security action against LabMD, a medical testing company that had been accused of leaving customers' names, Social Security numbers, dates of birth, and personal health insurance information exposed on publicly accessible peer-to-peer (P2P) file sharing networks. This decision is likely to further expand the potential liability for maintaining lax data security protocols, particularly with regard to health or medical information.

As we reported earlier this year (Cyber Security Update - Recent Developments and Expectations for 2016, Cyber Security Update - The FTC and Class Actions) the case against LabMD had previously been dismissed by an administrative law judge (ALJ) who held that, after several years without the occurrence of any identifiable harm traceable to the security incident, the FTC could not sustain its burden to prove LabMD's data practices "caused or were likely to cause substantial injury" to consumers (which is the key to the FTC's ability to exercise its jurisdiction).

However, on July 29, 2016, the FTC heads rebuffed that conclusion and vacated the ALJ's decision, holding that the ALJ applied the wrong legal standard for "unfairness" under Section 5 of the FTC Act, and that, by exposing the medical information of 9,300 consumers to millions of P2P users, LabMD had "caused and were likely to cause substantial injury that was not avoidable by consumers or outweighed by countervailing benefits." According to the factual findings, the consumer data had been "freely available" for more than 11 months.

The commissioners went so far as to say the "unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury," but stressed also that "given the absence of notification by LabMD, a lack of evidence regarding particular consumer injury tells us little about whether LabMD's security practices caused or were likely to cause substantial consumer injury. "¦ We need not wait for consumers to suffer known harm at the hands of identity thieves."

The commissioners found LabMD's data security practices to be "unreasonable," citing that LabMD had failed:

  • To employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring software, or penetration testing;
  • To monitor traffic coming across its firewalls;
  • To provide its employees with data security training; and
  • To adequately limit or monitor employees' access to patients' sensitive information or restrict employee downloads to safeguard the network."
In accordance with those conclusions, the FTC commissioner ordered LabMD to notify affected individuals, establish a comprehensive information security program, and obtain assessments regarding its implementation of the program.

It is unlikely that this will be the end of the dispute, as LabMD will likely seek court review of the FTC's decision. The issue of what constitutes an "injury" to an individual whose protected private/health information has been compromised as part of a data breach or inadvertent disclosure remains a hotly contested battle ground in many legal arenas in addition to the FTC, including, most prominently, the consumer class action field.

If you have any questions about your organization's data security or breach response program, contact Nicholas J. DiCesare at 716-566-1524 or or any of the Barclay Damon attorneys with whom you normally work.


Click here to sign up for alerts, blog posts, and firm news.

Featured Media


Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Gladys Vasquez, Monique Reid, Raymond Forrest, Pedro Martinez, Linda Slade, and Felipe Fernandez—Targeting Businesses in Recent Flurry of Lawsuits


Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Compres, Sanchez, Fontanez, Pajaro, Garcia, and Jaquez—Targeting Businesses in Recent Flurry of Lawsuits


Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Competello, Fernandez, Liz, Riley, and Trippett—Targeting Businesses in Recent Flurry of Lawsuits


CDPAP Providers Get First Look at the Future of CDPAP Without FIs


New York State Fiscal Year 2025 Budget: Implications for Employers Unpacked


Lab Providers Under Increased Scrutiny From Civil and Criminal Agencies for OTC COVID-19 Test Claims

We're Growing in DC!

We’re excited to announce Barclay Damon’s combination with Washington DC–based Shapiro, Lifschitz & Schram. SLS’s 10 lawyers, three paralegals, and four administrative staff will join Barclay Damon while maintaining their current office in DC’s central business district. Our clients will benefit from SLS’s corporate, real estate, finance, and construction litigation experience and national energy-industry profile, and their clients from our full range of services.

Read More

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out