As part of our National Cyber Security Awareness Month (NCSAM) activities, bTrade’s MFT Nation blog will post a series of what we call “case studies of what not-to-do” in the world of data security. We offer these data security case studies in hopes they can serve as a preventative, of sorts. In our experience, there are few things more fundamental to successful data security practices than learning from what others did poorly, and then taking steps to ensure that you don’t go down the same path. Through documents filed in public cases/proceedings, we have the unique ability to examine how others drew scrutiny from regulators, and hopefully learn from these mistakes.
So let’s take a look at our first case study involving a company named LabMD. The material recited below comes from documents filed in court cases and related administrative law proceedings.
LabMD conducts clinical laboratory tests on urological specimen samples from consumers and reports test results to physicians. In the course of its business, LabMD collected and retained the most personal of all personally identifiable information (“PII”) for over 750,000 consumers, including Social Security numbers, bank account and credit/debit card account numbers, and “sensitive health information, such as health testing codes that can reveal the consumer was tested for sexually transmitted diseases.”
Under circumstances that remain hotly disputed by the parties, the Federal Trade Commission (FTC) learned about the possible breach involving patient information and began an investigation into LabMD’s data security practices. The investigation persisted for three years before the FTC filed an administrative complaint against the company. The administrative proceeding is nearing completion because the parties have filed post-trial briefs and related documents.
Healthcare Clients Beware: You May Well be Obligated To Ensure Your Data Security Practices Comply with Both HIPAA and the FTC Act
LabMD asked that the proceeding be dismissed contending that HIPAA preempts the FTC Act. The Commission rejected this argument because HIPAA and the FTC Act do not conflict and are, in fact, “largely consistent.” Those MFT Nation readers in the healthcare industry should pay special attention to this, especially those involved in compliance, because the Commission found that:
nothing in the FTC Act compels LabMD to engage in practices forbidden by HIPAA, or vice versa. It is not unusual for a party’s conduct to be governed by more than one statute at the same time, as “‘we live in an age of overlapping and concurrent regulatory jurisdiction.’” LabMD and other companies may well be obligated to ensure their data security practices comply with both HIPAA and the FTC Act. But so long as the requirements of those statutes do not conflict with one another, a party cannot plausibly assert that, because it complies with one of these laws, it is free to violate the other.
FTC Alleges the Existence of “Multiple and Systemic” Data Security Failures
In a post-trial brief exceeding 100 pages, the FTC claims that it introduced at trial a “comprehensive mountain of evidence” that proves “multiple and systemic” data security failures for a business “holding a vast amount of sensitive data.” We will spare you from a discourse on all the details contained in the 100+ pages. Instead, we want to share the following key areas where the FTC finds fault with LabMD’s data security practices:
- LabMD did not patch and update operating systems and other programs. For example, in 2006 some LabMD servers were running Windows NT 4.0, an out-of-date, unsupported version of the operating system.
- LabMD gave many, if not most, employees administrative rights over their computers, so they had the ability to change security settings on the computers and download programs and files to the computers, including an unauthorized file sharing application that was installed on the computer used by LabMD’s billing manager, and through which certain PII was compromised. Further, LabMD maintained files containing highly sensitive PII on employee desktop computers, and employee desktops were connected to the internal network where PII was stored, which makes such PII vulnerable because an employee may inadvertently expose sensitive information to malicious software, unauthorized software, unauthorized individuals, unauthorized changes, and other threats. In addition, some employees could remotely access their computers on the network, including PII on the network, using their home computer and LabMD had no security requirements for the home computers used to access its network.
- LabMD did not provide its employees with tools or training to encrypt sensitive information in emails. As a result, between 2004 and at least October 2006, an IT employee transmitted sensitive consumer information from LabMD’s network to the private AOL email account of LabMD’s owner and CEO without encrypting the information.
- LabMD did not require employees to use unique, hard-to-guess passwords. For example, one employee used the password “labmd” from 2006 to 2013; passwords used by physician-clients’ offices often included the users’ initials, the username and password could be the same, and many users shared passwords; worst of all, LabMD’s employees set the FTP program up so that anyone could log in anonymously, that is, without using any password at all.
- LabMD had no policy addressing encryption of sensitive information it received and generated, and it did not implement file integrity monitoring. LabMD compounded the risk by mandating policies directing a manager to perform daily back-ups of sensitive billing information about thousands of consumers onto a workstation computer with unfettered internet access and other employees to store business documents on their computers.
- LabMD kept far more information than it needed, including the PII of more than 100,000 consumers for whom it never performed testing. LabMD failed to regularly purge the PII even though it is a regular practice of IT practitioners.
- LabMD did not properly configure its firewall to block IP addresses and unnecessary ports.
- LabMD did not deactivate the login access of former clients, and one employee’s credentials remained valid a year after she left LabMD.
- LabMD IT employees used low-quality products without full functionality, that LabMD had no established IT budget, and that LabMD IT employees had no discretion to purchase IT equipment, applications, or training.
- As part of its investigation into one of its internal documents on the file sharing site, LabMD removed the hard drive from the billing computer and allowed it to be destroyed by an outside security firm, which according to the FTC, “contravenes the first rule of forensic research – work with a copy of the drive and keep the original safe.” I’m sure this didn’t sit well with FTC regulators, as it smacks of cover-up rather than cooperation.
Except for destroying the hard drive from the billing computer, LabMD’s data security flaws as alleged by the FTC are all-too-common. But the good news for LabMD is that all can be easily avoided/prevented. MFT Nation has written extensively about the inherent dangers associated with running out-of-date software, and our message to LabMD would be the same as we’ve delivered in the past–don’t be penny wise and pound foolish. LabMD would also benefit from investing in a managed file transfer software solution. For example, bTrade’s TDXchange contains easy-to-use features that would allow LabMD to authenticate users, restrict user access to information based on need, purge and archive data, assess risk associated with the movement of its data, encrypt information while stored and in transit, log access to information and system components, ensure system and information integrity, and protect network gateways.
Contact bTrade for Assistance
To learn more about the aforementioned case study, as well as the steps you can take to avoid going down the same path, send a confidential email to me or our other data security experts at firstname.lastname@example.org.