FTC vs. LabMD: The Next Battle BeginsAdministrative Trial Examining Lab's Security Practices Starts
A Federal Trade Commission administrative trial examining the data security practices of LabMD, slated to begin May 20, could shed light on how the FTC evaluates data security when the agency pursues enforcement actions against companies for alleged unfair business practices.
See Also: HIPAA Audits: A Revised Game Plan
"I think the FTC administrative trial with LabMD will be important for the healthcare sector and other sectors to watch," says privacy attorney Adam Greene, a partner at law firm Davis Wright Tremaine, who's not involved in the case. "It may force the FTC to better identify what information security practices it considers unfair or deceptive."
The FTC expects companies to use reasonable information security practices, Greene says, "but we don't know exactly what that means. For example, what technical controls does the FTC expect an entity to put in place to safeguard personally identifiable information? The LabMD hearing won't provide all the answers, but it may give us some of the most valuable information yet as to the FTC's process for reviewing data breaches and the agency's information security expectations."
Earlier this month, an FTC administrative judge ruled the commission must testify about the data security standards it used to pursue enforcement action against the medical testing lab after two alleged data security incidents (see FTC Must Reveal Security Standards).
That ruling was considered significant because the LabMD dispute is among a handful of recent cases in which the FTC has pursued enforcement actions against companies for unfair or deceptive business practices related to alleged data security incidents, legal experts say (see Accretive Health Breach: FTC Settlement) .
Michael Daugherty, CEO of LabMD, tells Information Security Media Group that during a May 12 deposition, FTC officials testified that the agency has "no written data security standards" and that it evaluates data security of companies "on a case-by-case basis." FTC did not respond to ISMG's requests for comment on the case or whether its deposition would be made public.
Attorney Tim Blank, who heads the data privacy and cybersecurity practice at the law firm Dechert LLP, and who is not involved in the LabMD case, says the case is important to other companies in the healthcare sector because it involves an entity that is subject to data security and privacy regulatory oversight by another federal government agency, the Department of Health and Human Services, which enforces HIPAA.
"LabMD's argument is that 'we're subject to HIPAA, and if we comply with HIPAA, FTC cannot parachute in and say we're not compliant with FTC standards, whatever they are,'" Blank says.
The healthcare sector is lacking clarity when it comes to what's expected from the FTC versus HHS when it comes to safeguarding data, says Cliff Baker, managing partner at Meditology, a risk management consulting firm.
"If the FTC is allowed to go forward with imposing penalties on LabMD, the industry will be left trying to decipher what reasonable and appropriate means to the FTC in protecting PHI, how these requirements compare with HHS' guidance over the past 10 years, and how to resolve obvious differences," Baker says.
"After almost 10 years of struggling to comply with HIPAA and [HHS] Office for Civil Rights guidance, what the industry needs at this point in time is clarity and specificity," Baker says. "More ambiguous regulations will ultimately distract efforts to protect information versus focusing the industry's resources on safeguarding protected health information from the ever growing threats of disclosure."
The FTC Complaint
Last August, the FTC filed a complaint alleging that LabMD failed to protect the security of consumers' personal data, including medical information, in two separate alleged data security incidents. The complaint alleges that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers.
One of the incidents allegedly involves a LabMD spreadsheet containing insurance billing information that was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, according to an FTC statement. "Misuse of such information can lead to identity theft and medical identity theft, and can also harm consumers by revealing private medical information," according to the FTC.
In the second incident, the FTC alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," the FTC says.
The commission has proposed an order against LabMD that would prevent future violations "by requiring the company to implement a comprehensive information security program and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."
Overreaching its Authority?
LabMD argued in a lawsuit filed in a federal district court that the FTC was abusing its power and regulatory authority in issuing the complaint. That suit was dismissed last week by a federal judge, who ruled that the matter cannot be addressed by the federal court until after a decision is made in the FTC administrative trial, and then reviewed by FTC commissioners (see LabMD Dealt Setback in FTC Battle).
In a last-ditch effort to have the administrative action by FTC over the medical testing lab's data security practices tossed out or the administrative trial delayed, LabMD late last week asked an appellate court for an emergency ruling or stay to prevent the administrative trial from taking place.
But that motion was denied by the appellate court on May 19, so the administrative trial is expected to begin on May 20 as scheduled.
The trial, or evidentiary hearing, will determine whether LabMD's data security practices violated Section 5 of FTC regulations related to unfair business practices. After an FTC administrative law judge issues an initial decision in the case, either LabMD or FTC can appeal to the full FTC commission for review of the factual findings and legal conclusions, noted Judge Duffey in his May 12 ruling. "If the commission concludes that LabMD engaged in "unfair ... acts or practices ... and enters a cease and desist order, [LabMD] then has a statutory right to obtain a review of such order in the court of appeals," he wrote.
Daugherty says the legal battle with FTC has caused LabMD to wind down most of its operations. However, some limited services are still being offered by the cancer test lab, including providing physicians access to results for tests that have already been performed by the lab.