LabMD vs. FTC: Legal Battle Continues
New Lawsuit Filed in Information Security DisputeLabMD's ongoing legal dispute with the Federal Trade Commission has taken another turn. The medical lab testing firm has filed a new, expanded lawsuit against the FTC alleging that the agency abused its power and regulatory authority in filing an administrative complaint against the firm over information security issues.
An earlier, narrower lawsuit against the FTC filed on behalf of LabMD by Cause of Action, a government accountability group, has been withdrawn due to court jurisdiction issues.
In the new lawsuit, filed March 20 in federal district court in Northern Georgia, LabMD argues that an August 2013 administrative complaint filed by the FTC against the firm, "is arbitrary, capricious, an abuse of discretion and power, in excess of statutory authority and short of statutory right, and contrary to law and constitutional right."
The August 2013 FTC complaint alleged LabMD failed to reasonably protect the security of consumers' personal data, including medical information.
In January, the FTC denied the lab's motion to dismiss the complaint, which, among other things, proposed to require LabMD "to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years" to prevent future violations of data security (see Lab Shutting Down in Wake of FTC Case).
LabMD had argued that the FTC has no authority to address private companies' data security practices as "unfair . . . acts or practices." But the FTC commissioners ruled that the agency does have authority to take action against a private company's failure to implement reasonable and appropriate data security measures.
The FTC commissioners in January also rejected LabMD's contention that because the lab is a HIPAA covered entity, the FTC lacked authority to challenge its data security measures. The Department of Health and Human Services' Office for Civil Rights enforces HIPAA.
"LabMD has not identified a single provision in [HIPAA or any other] statutes touching on data security that expressly withdraws any authority from the Commission," the FTC commissioners wrote.
The FTC declined to comment on the new LabMD suit.
Lawsuit's Contentions
LabMD's new legal action, a "verified complaint for declaratory and injunctive relief" argues that "FTC lacks the statutory authority to regulate PHI and/or cybersecurity; it also lacks the expertise to do so."
Cause of Action filed its lawsuit on behalf of LabMD last November in the U.S. District Court for the District of Columbia and in the U.S. Court of Appeals for the Eleventh Circuit. The new lawsuit was filed in the Northern Georgia District Court due to jurisdictional issues, says LabMD CEO Michael Daugherty in an interview with Information Security Media Group. Cause of Action is still involved in the new suit, he says.
The latest lawsuit contains more allegations against the FTC than the original suit, Daugherty adds. It outlines "irreparable harm done by the FTC to LabMD." For example, it notes the company's decision in January to wind down its business operations.
"FTC's power-grab has destroyed LabMD's customer relationships and, in large measure, driven LabMD to cease accepting new specimen samples," the new lawsuit says. "LabMD, and its doctors, have been denied insurance coverage as a direct result of the FTC's ongoing persecution of the company. LabMD's general liability insurance carrier is planning to non-renew its insurance policy effective May 6, 2014."
LabMD is asking the court to issue a declaration that the FTC lacks authority to regulate patient information data-security. The company also is seeking to recoup legal fees and litigation costs.
Significance of Case
LabMD's case against the FTC could have "significant consequences for the entire healthcare sector," says privacy attorney Adam Greene of law firm Davis Wright Tremaine. That's because organizations that have a data breach involving PHI currently face scrutiny of multiple federal and state government regulators.
"Right now, a health data breach potentially can lead to a HHS investigation under HIPAA, one or more state attorneys general actions under HIPAA, one or more state regulatory actions under applicable state laws, class actions, and the FTC seeking a 20-year consent order," Greene says, "A favorable decision for LabMD could at least take the FTC's 20-year consent order off the table," he says.
"A federal district court decision is precedent for other courts but is not binding even in the same district," Greene explains. "If it is appealed to the relevant circuit court of appeals, a decision there on the merits would be binding only in that circuit." For wider impact, "a Supreme Court decision would become binding nationally," Greene says. "How the FTC would react to a lower court decision, for example, whether it would change its policy nationally, is unclear."
FTC Complaint Details
The August 2013 FTC complaint alleges that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet allegedly contained sensitive personal information for more than 9,000 consumers, according to an FTC statement. "Misuse of such information can lead to identity theft and medical identity theft, and can also harm consumers by revealing private medical information," the FTC says.
The FTC also alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," the FTC says.
In a February interview with Information Security Media Group, Daugherty said that LabMD paper documents found by Sacramento police were stolen from the company during a move. And he argued that neither security incident cited by the FTC should be considered a data breach.