FTC: Medical lab's lax security led to data leak

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.ktiv.com/story/23290647/ftc-medical-labs-lax-security-led-to-data-breach

WASHINGTON (AP) - The Federal Trade Commission on Thursday accused a
small Atlanta-based medical lab that specializes in cancer detection
of not doing enough to protect its patients' online records, resulting
in the leak of Social Security numbers and birth dates of more than
9,000 consumers.

The complaint against LabMD describes what many consumers fear: being
forced to hand over personal information to a doctor's office or
hospital, not knowing how that data is handled or who has access to
it, only to become vulnerable to identity theft. The allegations also
raise questions about the federal government's push for the health
care industry to swap paper for electronic records to save money when
doing so relies on cybersecurity investments by private companies.

In a statement, LabMD said the company "looks forward to vigorously
fighting against the FTC's overreach by seeking recourse through the
available legal processes."

Jessica Rich, director of the FTC's bureau of consumer protection,
said LabMD's practices put consumers at serious risk of identity
theft.

"The FTC is committed to ensuring that firms who collect that data use
reasonable and appropriate security measures to prevent it from
falling into the hands of identity thieves and other unauthorized
users," she said in a statement.

More than half of doctors' offices and 4 out of 5 hospitals have
transitioned from paper to electronic medical records, according to
the government. Moving to computerized records is the rare consensus
issue in health care, enjoying support from across the political
spectrum. Taxpayers have already contributed more than $14 billion to
help speed the move through an incentive program that was part of the
Obama administration's economic stimulus package.

The hope was that going digital would make caring for patients safer
and less costly by helping avoid medical mistakes and cutting down on
duplicative tests. But concerns have also surfaced about patient
privacy and vulnerability to fraud. And progress has been mixed in
getting medical computers from different offices to talk to each
other, the key to a seamlessly efficient system.

A pair of reports in 2011 by the Health and Human Services inspector
general warned that the drive to connect hospitals and doctors
electronically was being layered on top of a system that already has
privacy problems. The administration said in response it would pursue
stronger safeguards.

The complaint filed Thursday means that the allegations will be tried
in a formal hearing before an administrative law judge. The FTC wants
the judge to order LabMD to institute a comprehensive information
security program with professional audits every two years for the next
20 years. The proposed order also would require LabMD to notify
consumers whose information was compromised.

LabMD founder Michael Daugherty has objected to these terms and has
been fighting the FTC investigation for several years. He claims on
his personal website that LabMD is a victim of theft by a
cybersecurity firm that he says was trying to sell his company
services. Daugherty says that when he refused, the stolen data was
supplied to government regulators, who are using the leak to punish
him as a small business owner and justify additional government
regulation. Daugherty has written a book on the subject that he says
will be published in September.

The trade commission's "enforcement action against LabMD based, in
part, on the alleged actions of Internet trolls, is yet another
example of the FTC's pattern of abusing its authority to engage in an
ongoing witch hunt against private businesses," LabMD said in its
statement.

According to the FTC complaint, a LabMD spreadsheet with insurance
billing data on more than 9,000 consumers was discovered on a public
file-sharing network. The spreadsheet contained Social Security
numbers, birth dates, insurance information and medical treatment
codes. The FTC says California police later discovered that identity
thieves had acquired personal data from at least 500 LabMD consumers.

In its complaint, the FTC said lax security controls at LabMD resulted
in the leak of the spreadsheet. Regulators say the company did not
maintain a "comprehensive data security program" or use "readily
available measures" to identify common vulnerabilities. The company
also did not adequately train employees or prevent unauthorized
access, according to the FTC.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.