Contact Us

Contact Us


  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013

  • Areas & Topics

    Frquently Asked Questions

    Our Office Location

    Edelman, Combs, Latturner, & Goodwin, LLC

    20 South Clark Street
    Suite 1500
    Chicago, IL 60603
    Phone: 312-739-4200
    Fax: 312-419-0379

    E-mail Us  |  Chicago Law Office

    Edelman Combs Latturner Goodwin's facebook page   Edelman Combs Latturner Goodwin's Twitter Page   Edelman Combs Latturner Goodwin's Google Plus Page

    FTC order against LabMD

    Stating Company Failed to Protect Consumers’ Sensitive Medical and Personal Information

    The Federal Trade Commission today announced the issuance of an Opinion and Final Orderreversing an Administrative Law Judge (ALJ) Initial Decision that had dismissed FTC charges against medical testing laboratory LabMD, Inc. In reversing the ALJ ruling, the Commission concludes that LabMD’s data security practices were unreasonable and constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.

    The case concerns the alleged failure by Respondent LabMD, Inc., which operated as a clinical laboratory for physicians, to protect the sensitive personal information, including medical information, of consumers. Over the course of its operations between 2001 and 2014, LabMD collected sensitive personal information, including medical information, for over 750,000 patients.

    As explained in its unanimous opinion, written by Chairwoman Edith Ramirez, the Commission concludes that the ALJ applied the wrong legal standard for unfairness and finds that “LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”

    The Commission further finds in its opinion that “these failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users. LabMD then left it there, freely available, for 11 months, leading to the unauthorized disclosure of the information.”

    Section 5 of the FTC Act authorizes the Commission to challenge “unfair or deceptive” acts or practices in or affecting commerce. Section 5(n) provides that an act or practice may be deemed unfair if it “causes or is likely to cause substantial injury to consumers” which is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition.

    The Commission in its decision concludes that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n),” and that LabMD’s disclosure of a file containing this information for 9,300 consumers caused substantial injury.  In addition, the Commission finds that LabMD’s security practices were “likely to cause substantial injury,” as they led to the exposure of sensitive information to millions of online P2P users, and because complaint counsel proved that the likelihood and magnitude of potential harm were both high. Complaint counsel’s expert witnesses identified a range of harms such as medical identity theft that can often result from the unauthorized disclosure of the types of sensitive personal information maintained by LabMD on its computer network.

    Having found that LabMD violated the FTC Act, the Commission’s Final Order will ensure that LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program. It also requires LabMD to obtain periodic independent, third-party assessments regarding the implementation of the information security program, and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.

    LabMD has 60 days after service of the Commission’s Opinion and Final Order to file a petition for review with a U.S. Court of Appeals.

    The Commission vote to issue the opinion and order was 3-0.