FTC Ruling in Battle with LabMD DelayedCommission Has Until July 28 to Make Decision in Data Security Case
The messy legal drama between the Federal Trade Commission and cancer testing laboratory LabMD over a data security dispute has been stretched out to last a little longer. The FTC has extended its deadline for making a ruling on whether it will affirm or overturn an "initial decision" last year by a FTC administrative law judge to dismiss the FTC's case against LabMD.
The FTC was expected to issue a ruling June 16 on whether to affirm or overturn FTC Administrative Law Judge Michael Chappell's decision last November to dismiss the FTC's case against LabMD alleging that the now defunct Atlanta-based company had failed to protect the security of consumers' personal data, putting them at risk for identity theft.
Instead, on June 16, the FTC issued an order "to extend the time period for issuing a final decision and order until July 28 ... in order [for the commission] to give full consideration to the issues presented by the appeal in this proceeding."
The FTC's Bureau of Consumer Protection, which brought the legal action against LabMD in August 2013, had filed an appeal of Chappell's initial decision to dismiss the FTC's case against the medical testing laboratory.
Decision to Dismiss
In his ruling dismissing the FTC's case against LabMD, Chappell said the FTC "failed to prove its case" that two alleged data security incidents at LabMD in 2008 and 2012 caused, or were likely to cause, "substantial injury to consumers," such as identity theft, medical identity theft, reputational harm or privacy harm, and would, therefore, constitute unfair trade practices.
The FTC's complaint against LabMD alleges that the company "failed to reasonably protect the security of consumers' personal data, including medical information." The complaint alleges that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers. The FTC alleges that LabMD billing information for more than 9,000 consumers was found in 2008 on a peer-to-peer file-sharing network and then, in 2012, LabMD documents containing sensitive personal information on at least 500 consumers were found by police in Sacramento, Calif., in the possession of "identity thieves."
Citing the two alleged security incidents, the FTC in August 2013 proposed a consent order against LabMD that would require the company to implement a comprehensive information security program that an independent, certified security professional would evaluate every two years over the next 20 years. The order also would require that LabMD provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies. The CEO of LabMD, Michael Daugherty, has been fighting the order ever since.
LabMD's allegedly unsecured spreadsheet was discovered in 2008 by Philadelphia-based peer-to-peer security firm Tiversa, which reported the matter to the FTC. However, during testimony at the case's FTC administrative hearing last year, some witnesses, including a former Tiversa employee, discredited Tiversa's account to the FTC of the alleged LabMD security incident.
The former Tiversa employee testified that it was a "common practice" of Tiversa to approach prospective clients with exaggerated information about their allegedly unsecured files that the security firm found "spreading" on the internet in an attempt to sell the company's security monitoring and remedial services.
Also during testimony, Daugherty alleged that Tiversa reported false information to the FTC about the supposed security incident involving LabMD's data after the lab refused to buy Tiversa's remedial services.
In 2014, the House Committee on Oversight and Government Reform also conducted an investigation into the business practices of Tiversa (see LabMD Case: House Committee Gets Involved). A resulting staff report by the committee alleges that Tiversa "often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks."
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, notes: "The issues raised in this matter concerning the credibility of the witnesses and the weight given to the evidence will be resolved by the commissioners and any subsequent appeals to the federal courts," Holtzman says. "The outside influences and appeal to the political arena that have been used to sway opinion on this matter have not been helpful to our knowledge of the facts or their application to the law."
Tiversa has defended its practices and has denied any wrongdoing.
LabMD, meanwhile, has discontinued its business operations due to the financial cost and time that have been invested in the firm's battle against FTC, Daugherty says.
If the FTC commissioners overturn Chappell's initial decision for the FTC to dismiss its complaint against LabMD, Daugherty pledges to take the case to federal court.
"The ALJ [adminstrative law judge] decision has put FTC in a quandary. The FTC is a lose-lose situation," Daugherty contends.
The FTC did not immediately respond to an Information Security Media Group request for comment.
The FTC's case against LabMD - and the Daugherty's legal fight opposing the charges - provides a rare peek into FTC data security related enforcement activities, some experts say. "The LabMD case in general is a really big deal," says privacy attorney Kirk Nahra of the law firm Wiley Rein, who is not involved in the matter. "This case in general has become a particularly ugly case. Like a lot of litigation, it forced both sides to take extreme positions, and now the parties are having to live with that - although this impacts the FTC much more than LabMD."
Nahra contends the administrative law judge's decision in the case "focused on an issue that wasn't really the reason we've been talking about this case. Until then, the case focused on two questions, he says: "Does the FTC have authority in data security cases generally - the same argument that was in play in the Wyndham [data security dispute with FTC], and has now largely been resolved in the FTC's favor - and does the FTC have authority to take action against a HIPAA-covered entity?"
Instead, however, the judge's decision focused on whether consumers were harmed by the alleged LabMD security incidents, Nahra notes.
"My expectation is that the FTC will push hard to maintain its ability to go after situations where there is potential harm, even if that harm is not yet realized," he says. "That is a typical distinction that is offered between private class action [data breach] litigation, where harm is an element of standing - and government regulation, where harm usually isn't thought of as necessary."
Among lessons so far emerging from this case are that "the FTC clearly believes it has authority in data security cases ... and that it believes it can enforce that authority against any [for-profit] entity subject to its jurisdiction, whether covered by HIPAA or not," he says.
"This second point hasn't been tested much. There is no general sense that the FTC is broadly pursuing healthcare companies, but the FTC believes they have the authority to do so if they wish."
Practice Fusion Case
In another recent enforcement case involving a company in the healthcare sector, the FTC on June 8 announced a settlement with electronic health records vendor Practice Fusion over a privacy related dispute (see Analysis: FTC's Privacy Settlement with EHR Vendor).
The FTC says the cloud-based EHR vendor agreed to settle charges that the company "misled consumers by soliciting reviews for their doctors, without disclosing adequately that these reviews would be publicly posted on the internet, resulting in the disclosure of patients' sensitive personal and medical information."
The LabMD and Practice Fusion cases have little in common, Nahra says. The Practice Fusion case is "not really a data security case, but more of a privacy and misrepresentation case."
Holtzman says, however, there are lessons that all entities can learn from FTC's recent enforcement activities. "It is important for businesses to keep the promises they make to consumers about how their sensitive, personal information will be collected and used," he stresses.