When a file with hundreds of Americans' Social Security numbers and private health information showed up on a peer-to-peer network several years ago, the incident triggered an investigation that led to charges against an Atlanta medical laboratory for allegedly mishandling patients' private information.
But the company, LabMD, says it is being targeted illegally by the Federal Trade Commission
. Its attempts to derail the FTC trial failed, however, and the hearing got underway this week as scheduled.
“FTC has discarded rule-of-law and constitutional values for boundless bureaucratic power and discretion,” wrote one of LabMD's attorneys (PDF)
, Michael Pepson, who works for the limited-government advocacy group Cause of Action. “FTC will distort the law and even re-write history to justify its power-grab.”
Officials at the FTC see no power grab. In fact, they say LabMD's posturing over the FTC's regulatory powers is an attempt to distract from the real issues of the case.
“LabMD seeks a stay because it wishes to forestall an evidentiary hearing regarding allegations that it unjustifiably harmed consumers,” FTC attorneys wrote in a brief filed with the 11th U.S. Circuit Court of Appeals in Atlanta. LabMD had asked the 11th Circuit to delay the FTC trial, but the court issued a one-sentence order denying the request (PDF)
, allowing the hearing to move forward.
The FTC wants to have an administrative law judge order LabMD to implement an information security program that would be evaluated by an independent monitor for 20 years, and to provide notice to the consumers whose data has already been compromised.
LabMD analyzes patient medical samples sent in from across the country and maintains detailed spreadsheets of patients' personal data, including, in some cases, bank account numbers along with Social Security and health information. The FTC says one file with data on 9,000 people ended up on the file-sharing service Limewire in 2008, and another LabMD file with information on 500 people was “found in the hands of identity thieves” in 2012.
The complaint against LabMD (PDF)
accuses the company of violating the Federal Trade Commission Act's prohibition against “unfair acts or practices” by failing to protect consumers' personal information. Specifically, LabMD allegedly failed to maintain a data-security program or take steps to identify common security risks. The company is also accused of failing to adequately train its employees on data security and use readily available technology to prevent and detect unauthorized access to personal information.
LabMD responded by saying in court records that the practices alleged by the FTC were unlikely to “cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and not outweighed by the countervailing benefits to consumers or to competition.” The company also noted that the FTC hadn't published any rules or regulations clarifying what data-security practices the FTC Act requires or forbids.
HHS' Office for Civil Rights has published extensive guidance on the data-security requirements
for any person or entity that maintains protected health information. HHS generally enforces those rules, sometimes in cooperation with the U.S. Justice Department.
The FTC, however, has increasingly asserted a role in policing healthcare data security, reaching dozens of consent agreements with companies. In recent years, the FTC also has worked in tandem with HHS on healthcare privacy cases, beginning with a case against CVS Caremark
that yielded a $2.25 million settlement.
“The FTC is over-regulating in this area because explicit authority to regulate data security obligations of healthcare providers such as LabMD has been delegated to the United States Department of Health and Human Services, who has exercised that authority and adopted data security regulations for healthcare providers,” LabMD attorneys wrote in their motion for emergency relief to the 11th Circuit.
The FTC's administrative trial is expected to last at least a week, perhaps more. If the administrative judge issues a sanction against LabMD, the company can then appeal that order to a federal court. Follow Joe Carlson on Twitter: @MHJCarlson