Lab Shutting Down in Wake of FTC CaseLabMD Calls Dealing with Security Complaint 'Debilitating'
Back in August, the Federal Trade Commission filed a complaint against LabMD, alleging the medical testing lab failed to protect consumer health data. Now that the FTC has rejected the lab's motion to dismiss the case, the company is planning to wind down its operations, citing the cost of the fight with the FTC.
In a statement posted on Jan. 28, LabMD CEO Michael Daugherty says the shutdown is "largely due to ... the debilitating effects of the FTC's investigative practices and litigation."
Daugherty was not available for further comment.
LabMD's move to stop operations follows the Jan. 16 FTC order denying the lab's motion to dismiss the complaint.
LabMD had argued that FTC has no authority to address private companies' data security practices as "unfair . . . acts or practices." However, the FTC commissioners ruled that the agency does have authority to take action against a private company's failure to implement reasonable and appropriate data security measures.
Additionally, the FTC commissioners rejected LabMD's contention that because the lab is a HIPAA covered entity, the FTC lacked authority to challenge its data security measures.
"LabMD has not identified a single provision in [HIPAA or any other] statutes touching on data security that expressly withdraws any authority from the Commission," the FTC commissioners wrote.
In addition to the FTC complaint against LabMD, the agency recently settled a case with Accretive Health Inc., a Chicago-based medical billing and revenue management services company, that was related to an investigation into a 2011 data breach that affected 23,000 patients (see Accretive Health Breach: FTC Settlement).
The FTC's information security cases should serve as a wake-up call to other healthcare organizations and the companies that serve them, says privacy attorney Adam Greene, a partner at Davis Wright Tremaine.
"The Accretive Health settlement is an important reminder that the [HHS] Office for Civil Rights is not the only game in town when it comes to enforcement of health information privacy and security," says Greene, a former official at OCR, which enforces HIPAA compliance, including conducting breach investigations. "While rare, the FTC has occasionally exercised its broad authority to find a lack of health information safeguards as an unfair or deceptive trade practice under Section 5 of the FTC Act."
The FTC's action in the LabMD case demonstrates that business associates as well as HIPAA covered entities could face commission investigations, says security and privacy attorney Stephen Wu, a partner at Cooke Kubrick and Wu LLP. "The logic of the decision suggests that the FTC can go after both," he says. "As a matter of statutory interpretation, the commission is saying that nothing in HIPAA strips the FTC of authority to use the FTC Act to go after a business for data security lapses. So that logic would apply to any BA, as well as any CE."
Complaint Against LabMD
The FTC's complaint against LabMD alleges that the company failed to reasonably protect the security of consumers' personal data, including medical information. The FTC alleges that in two separate incidents, "LabMD collectively exposed the personal information of approximately 10,000 consumers," according to a statement.
The complaint alleges that a LabMD spreadsheet containing insurance billing information was found on a peer-to-peer network in 2008. The spreadsheet contained sensitive personal information for more than 9,000 consumers, including names, Social Security numbers, dates of birth, health insurance provider information, and standardized medical treatment codes, according to an FTC statement. "Misuse of such information can lead to identity theft and medical identity theft, and can also harm consumers by revealing private medical information," the FTC says.
The FTC also alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," the FTC says. "A number of these Social Security numbers are being or have been used by more than one person with different names, which may be an indicator of identity theft."
The complaint says that the company:
- Did not implement or maintain a comprehensive data security program to protect this information;
- Did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information;
- Did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
- Did not adequately train employees on basic security practices; and
- Did not use readily available measures to prevent and detect unauthorized access to personal information.
The FTC is proposing an order against LabMD that would prevent future violations "by requiring the company to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years."
Additionally, "the order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."
The goal in this case has been to ensure that sensitive information is appropriately protected, says Robert Schoshinski, assistant director at the FTC's Division of Privacy and Identity Protection, in a statement provided to Information Security Media Group. "FTC attorneys litigating this matter will gather information about the reported changes to LabMD's business operations and determine how best to protect the sensitive consumer data the company has collected," he adds.
The FTC can launch health data breach investigations on its own, or through referrals from other agencies, including referrals by the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA compliance, says Allison Lefrak, a staff attorney at the FTC's Bureau of Consumer Protection who was involved in the Accretive Health case.
The FTC commonly issues breach investigation settlements that include corrective actions aimed at having organizations better protect consumer's personal information, Lefrak says.
In his statement, Daugherty, LabMD's CEO, notes that on Nov. 15, 2013, Cause of Action, a government accountability group, filed a lawsuit in a federal court against the FTC on behalf of LabMD "in an effort to put an end to the agency's arbitrary and egregious use of authority in the administrative suit."
Dauherty also notes he has written a book about the FTC's four-year investigation of his firm, titled, The Devil Inside the Beltway: The Shocking ExposÃ© of the U.S. Government's Surveillance and Overreach into Cybersecurity, Medicine and Small Business.