FTC Complaint Leads Breach RoundupLab Accused of Failing to Protect Patient Information
In this week's breach roundup, the Federal Trade Commission has filed a complaint against LabMD Inc., alleging that the Atlanta-based medical testing laboratory failed to protect personal information for about 10,000 consumers. Also, the number of individuals affected by a Department of Energy breach first reported in late August is larger than originally suspected.
See Also: The Global State of Online Digital Trust
Lab Cited in FTC Complaint
The Federal Trade Commission has filed a complaint against LabMD Inc., alleging that the Atlanta-based medical testing laboratory failed to protect personal information for about 10,000 consumers.
The FTC alleges that LabMD billing information for more than 9,000 consumers contained in a spreadsheet was found on a peer-to-peer file-sharing network. That incident occurred in 2008, before the HIPAA breach notification rule went into effect, according to an FTC spokesperson. Compromised information includes names, Social Security numbers, dates of birth, health insurance information and medical treatment codes.
The complaint also alleges that in 2012, LabMD documents containing sensitive information about at least 500 consumers was found in the hands of identity thieves. That information included names, Social Security numbers, and, in some cases, bank account information.
The FTC describes a proposed order that would require LabMD to implement a comprehensive information security program and have it evaluated every two years by an independent security professional over a period of 20 years.
The allegations established in the complaint will be tried during a formal hearing before an administrate law judge.
The FTC and the Department of Health and Human Services can both get involved with investigations of health data breaches, an FTC spokesperson explained. In general, FTC "has broad authority related to remediation" in data security, the spokesperson said.
Dept. of Energy Breach Affects 53,000
The number of individuals affected by a Department of Energy breach first reported in late August is larger than originally suspected.
The department now confirms that the breach, first reported to have impacted 14,000 current and former agency employees, actually affected 53,000 [see: Dept. of Energy Hit by Hackers].
Names, Social Security numbers and dates of birth for current and past federal employees, including dependents and contractors, were compromised in the incident, the department said.
"Based on the findings of the department's ongoing investigation into this incident, we do believe PII theft may have been the primary purpose of the attack," the statement said.
Affected individuals are being offered assistance on steps to take to protect themselves against potential fraud or identity theft.
DoE says it's cybersecurity office, the Office of Health, Safety and Security and the inspector general's office are working with federal law enforcement to investigate the breach. "Once the full nature and extent of this incident is known, the department will implement a full remediation plan," the DoE statement says.
UK Breach Leads to Fine
The UK Information Commissioner's Office has fined the Aberdeen City Council, located in Northeast Scotland, Â£100,000 as a result of sensitive personal information relating to social services being published online.
A council employee accessed documents from a home computer, and a file transfer program installed on the machine automatically uploaded the documents to a website, posting sensitive information about several vulnerable children and their families, including details of alleged criminal offenses, the ICO reports.
The files were uploaded in November 2011 and remained online until February 2012, the ICO said.
In its investigation, the ICO found that the council had no policy for employees working from home, and didn't have sufficient measures in place to restrict downloading sensitive information from the council's network.
View the monetary penalty notice.
Missing Laptop Contained Patient Info
UT Physicians, the medical group practice of The University of Texas Health Science Center at Houston Medical School, is notifying 600 patients about a missing unencrypted laptop.
The laptop was discovered missing on Aug. 2 from a locked closet in a UT Physicians orthopedic clinic, according to a statement. The device was attached to an electromyography machine and included hand and arm image data from February 2010 through July 2013. Patient information on the laptop includes names, birth dates and medical record numbers, UT Physicians said.