The Federal Trade Commission on Friday issued an opinion and final order holding that LabMD Inc.’s data security practices were unreasonable and lacked “even basic precautions.”

LabMd stopped conducting lab tests and began winding down its business in January 2014, according to the FTC opinion.

The opinion, which was written by FTC chairwoman Edith Ramirez, reverses an Administrative Law Judge’s ruling issued in November 2015. The FTC panel’s vote to issue the opinion and order was 3-0.

The FTC opinion states LabMD failed to use an intrusion detection system; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees, and never deleted any of the consumer data it collected.

“These failures resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users,” said the opinion.

The FTC’s final order will require LabMD to notify affected individuals, establish a comprehensive information security program and obtain assessments regarding its program’s implementation.

LabMD has 60 days to file a petition for review with a U.S. Court of Appeals.

LabMD President and CEO Michael Daugherty said in a statement, “The last thing I am is surprised, as I have danced with these devils for over six years now.”

The FTC, Mr. Daugherty said, has “without remorse made a mockery of legal ethics, regulatory boundaries and (the Department of Health and Human Services.) Yet in their magical thinking, they carry forward and I can’t wait. Villainy wears many masks, none more dangerous than the mask of virtue.”

Washington-based Cause of Action Institute, a public interest law firm that represents LabMD, said in a statement, “This decision sets a dangerous precedent for every small business in America that deals with sensitive personal information.

“The FTC appears to have overlooked a significant body of evidence that had been presented before the agency’s chief (administrative law judge). The FTC has imposed liability on LabMD, despite there being no evidence that a single consumer was harmed.”

As part of the long-running issue concerning the Atlanta-based cancer testing company, the FBI said earlier this year it was investigating whether a cyber security firm gave the government falsified information about data breaches that declined the security firm’s data protection services. Both the FTC and LabMD have said the information the security firm gave the agency was used in the investigation of LabMD.