A medical testing laboratory called LabMD has been accused of exposing the personal information of about 10,000 customers on a peer-to-peer file sharing network.

The company has been fighting the claims, saying a security firm that uncovered the breach victimized LabMD by downloading a large spreadsheet containing sensitive customer information.

The US Federal Trade Commission today said it filed a complaint which "alleges that LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves."

The lab is based in Atlanta but performs medical tests for consumers nationwide.

Police in Sacramento, CA, found in 2012 that identity thieves had possession of LabMD documents containing names, Social Security numbers, and bank account information for at least 500 people. "[A] number of these Social Security numbers are being or have been used by more than one person with different names, which may be an indicator of identity theft," the FTC said. The complaint also alleges that "a LabMD spreadsheet containing insurance billing information was found on a P2P network," the FTC said. "The spreadsheet contained sensitive personal information for more than 9,000 consumers, including names, Social Security numbers, dates of birth, health insurance provider information, and standardized medical treatment codes."

LabMD allegedly failed to take proper precautions when handling sensitive data. The FTC said LabMD "did not implement or maintain a comprehensive data security program to protect this information; did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information; did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs; did not adequately train employees on basic security practices; and did not use readily available measures to prevent and detect unauthorized access to personal information."

Although identity thieves got hold of financial details for more than 500 people, LabMD's troubles go back to an earlier incident in May 2008, when a security company called Tiversa for peer-to-peer networks came across the 1,718-page spreadsheet of health insurance billing information, according to a story last year by the Atlanta Business Chronicle.

The newspaper paraphrased an FTC official as saying the commission was "trying to investigate LabMD but the company has been unwilling to provide oral testimony and other documents." LabMD CEO Michael Daugherty claimed the FTC is "on a fishing expedition" and "beating up small business."

The FTC denied a petition by LabMD to quash the civil investigative demands made by the agency. LabMD had claimed it's the victim in this case, saying the spreadsheet "was illegally downloaded from LabMD's computers in 2008." The spreadsheet is referred to as the "1,718 File" in legal documents.

LabMD filed suit against Tiversa, alleging violations of the US Computer Fraud and Abuse Act and the Georgia Computer Systems Protection Act. LabMD said the security firm refused to destroy its copies of the spreadsheet and tried to get LabMD to "purchase its security services in order to 'remediate' any issues" involving the spreadsheet. "Tiversa ... was and is running an extortionist scheme whereby it uses its government-funded technology to penetrate computer networks, download confidential files, and then sell the files back to the owners under the guise of providing network security," LabMD claimed in its petition to the FTC.

Tiversa had teamed up with Dartmouth College to search peer-to-peer networks for files related to health care firms. It appears to have been standard white hat hacking for the purposes of identifying security problems before criminals do.

LabMD's lawsuit was thrown out because of a lack of jurisdiction, due to Tiversa not conducting business in Georgia. According to a US District Court ruling, the spreadsheet "was created and stored on a LabMD computer. ... Defendants accessed LabMD's computers and networks, which must have been connected to the peer-to-peer network, and downloaded the 1,718 File."

In its unsuccessful petition to the FTC, LabMD said that Tiversa testified before Congress in 2009 that it "deployed newly developed P2P search technology that allowed it to penetrate even 'the most technologically advanced' computer despite the presence of 'firewalls and encryption.' It was with this technology ... that Tiversa and Dartmouth downloaded the 1,718 File."

Although the FTC described the complaint in a press release today, it did not release the document in full. "Because LabMD has, in the course of the Commission’s investigation, broadly asserted that documents provided to the Commission contain confidential business information, the Commission is not publicly releasing its complaint until the process for resolving any claims of confidentiality is completed and items in the complaint deemed confidential, if any, are redacted," the FTC said.

LabMD, which describes itself as a "cancer detection facility that specializes in analysis and diagnosis of blood, urine, and tissue specimens for cancers, micro-organisms and tumor markers," did not take kindly to the FTC's latest action.

“The Federal Trade Commission’s enforcement action against LabMD based, in part, on the alleged actions of Internet trolls, is yet another example of the FTC’s pattern of abusing its authority to engage in an ongoing witch hunt against private businesses," LabMD said in a statement sent to Ars. "The allegations in the FTC’s complaint are just that: allegations. LabMD looks forward to vigorously fighting against the FTC’s overreach by seeking recourse through the available legal processes. The FTC has repeatedly overstepped its statutory authority under Section 5 of the Federal Trade Commission Act and the FTC does not have the authority to bring this enforcement action."

The FTC's proposed remedy is for LabMD to implement a "comprehensive information security plan" and provide notice to consumers whose information was leaked.

The administrative complaint just issued by the FTC "marks the beginning of a proceeding in which the allegations will be tried in a formal hearing before an administrative law judge," the commission said.