Beware: FTC Taking Action on BreachesHealthcare Organizations Face More Scrutiny
Two recent healthcare cases show that the Federal Trade Commission will not hesitate to take action against organizations that fail to protect patient information.
In fact, the FTC, which focuses on consumer protection and prosecutes violations of the Fair Trade Act, recently announced that it will now pursue cases involving the failure to maintain the confidentiality of sensitive information about an individual when a promise to the consumer (or patient) has been made by the provider of services (such as a healthcare entity) through the Notice of Privacy Practices (NPP) or other privacy policies posted on a website.
Enforcement just got tougher, and, as a result, security incidents could be far more costly.
This is newsworthy because it adds to the regulatory oversight that healthcare organizations already face. And the FTC has a history of aggressively going after those that it believes have violated consumer trust.
In the same week that the FTC made its announcement responding to a challenge of its authority to investigate data security practices, two recent examples of the FTCs enforcement actions were also made public. Both present a far different outcome than the penalties the healthcare industry has seen from the Department of Health and Human Services' Office for Civil Rights in its settlements tied to HIPAA enforcement.
Results of FTC Action
As a result of one of those FTC enforcement actions, Atlanta-based LabMD has announced that it's closing down operations, citing the impact the investigation has had on the company. LabMD's problems with the FTC began in 2010, and four years later it has suspended operations, reportedly due to the impact of the very aggressive way that the FTC conducted its investigation.
LabMD suffered a breach of patient information in 2010 when a document was inadvertently leaked from its peer-to-peer network and found on a file sharing network. This prompted the FTC to open its investigation, which included a number of companies, not just LabMD. After two years of investigation, the FTC filed a complaint that alleged LabMD had breached the information of nearly 10,000 consumers and proposed that the company implement a comprehensive security program and submit to biannual assessments by an independent third party for next 20 years. LabMD has challenged the FTCs authority to regulate data security practices.
The other recent enforcement action involved California-based GMR Transcription, which provides transcription services to healthcare organizations. The complaint alleged that due to inadequate security around how files created by the transcriptionists were handled by GMR's service provider, they were indexed by a major Internet search engine and made available to anyone using that search engine.
The GMR breach involved sensitive information, including driver's license numbers, tax information, medical histories, notes from children's medical examinations, medications and psychiatric notes. This incident was initially reported to OCR, but was eventually handled by the FTC, because the HIPAA rules had not yet been expanded under the HIPAA Omnibus Rule to give OCR the authority to investigate business associates.
Under the terms of GMR's settlement with the FTC, GMR and its owners must not misrepresent the level of security they provide to clients' data, must establish a comprehensive security program, and must have an independent third party conduct an initial evaluation of their security and follow-up assessments biannually for the next 20 years.
In taking these two recent enforcement actions, the FTC reinforced its belief that Congress intended for the commission to have broad authority to define unfair acts or practices under Section 5 of the FTC Act.
In both cases, the FTC found that the companies involved failed to provide reasonable and appropriate security for personal information on their computer networks and that this failure could lead to consumer identity theft and unauthorized disclosure of private medical information.
The commission further asserted that this represented an unfair act or practice under the FTC Act. And the commission stressed that HIPAA or other statutes do not constitute a shield to protect entities from the FTC Act.
In short, what this means is that the FTC intends, at least for the moment, to fully exercise its responsibilities when it deems it appropriate and/or necessary to protect consumers. And it means that healthcare entities have one more regulatory agency overseeing their activities.
The story isn't over here yet, because the FTC's authority has been challenged, and the issue could go to court for review. It's possible that the courts could determine that the FTC does not have as broad a mandate as it believes it does. My guess, though, is that this will take months to resolve. And in the meantime, FTC enforcement is real and should be taken seriously.
So healthcare now has one more reason to be serious about information security. Enforcement just got tougher, and, as a result, security incidents could be far more costly. In its resolution agreements, OCR has only gone so far as to levy the requirement for an external monitor for up to three years. The FTC proscribes a much longer period of monitoring for those it sanctions.
If having the FTC looking over your shoulder for the next 20 years is not enough to convince you that it is time to get serious about security, consider that remediation and 20 years of external assessments that can add up to serious dollars.
Mac McMillan is co-founder and CEO of CynergisTek Inc., an Austin, Texas-based consulting firm specializing in information security and regulatory compliance.