In August 2013, the Federal Trade Commission filed a lawsuit against LabMD over a 2008 data breach. The FTC v LabMD case was recently dismissed due to insufficient evidence that breach victims faced a substantial risk of coming to harm as a result of the exposure of their personal data.
The lawsuit was filed in response to the exposure of approximately 9,000 consumer records in 2008. A spreadsheet containing customer billing information and personally identifiable information was found on a peer-2-peer file sharing website. The file was discovered by security company Tiversa.
Tiversa contacted LabMD and alerted the company to the data breach. Remediation services were offered to deal with the breach, although the offer was declined. In response, Tiversa alerted the FTC.
Chief Administrative Judge Dismisses FTC v LabMD Data Breach Lawsuit
The FTC v LabMD case decision came on November 13, 2015. Chief administrative judge Michael Chappell ruled that while there was no doubt that Protected Health Information (PHI) was exposed and breach victims potentially faced an elevated risk of coming to harm as a result of the data breach, the FTC had “failed to prove its case.” The FTC was required to present evidence that breach victims faced a considerable risk of coming to harm as a result of the exposure of their PHI. In the absence of any fraudulent use of PHI, it was not possible to prove that patients were actually exposed to an elevated risk of suffering fraud of financial losses.
FTC v LabMD – The First Time an FTC Complaint has been Challenged and Won
The FTC v LabMD case can be seen as a victory for the plaintiff, albeit a somewhat hollow one. This is the first time that an FTC data breach compliant for alleged unreasonable practices has been challenged and won by the plaintiff. All other challenged have been ruled in favor of the Federal Trade Commission.
Unfortunately, the 2008 security breach was followed by a second data breach in 2012. When the case was filed, the company decided to mount a challenge and the cost of legal action forced LabMD into insolvency. The FTC may have lost, but LabMD did not exactly win. The successful challenge may however convince other companies to challenge future FTC lawsuits.
While the FTC v LabMD case was dismissed, this does not signal the end of the legal dispute. The Federal Trade Commission is permitted to challenge the administrative court decision. After a few days of deliberation, the FTC made the decision to do just that. The FTC v LabMD case will now proceed to federal court to be decided.
FTC Files Notice of Appeal
All of the evidence has already been heard by an administrative judge and the case was ruled in favor of LabMD. However, the FTC was unhappy with the decision and the case will now proceed to the federal courts. The FTC will now attempt to convince a federal judge that breach victims face a substantial risk of harm as a result of the exposure of their personal data.
While the same evidence will be presented, there is a possibility that during the time between the end of the first case and the start of the federal court case, criminals may have defrauded some of the breach victims. Should that prove to be the case, the result may be different.