Officials at the FTC see no power grab. In fact, they say LabMD's posturing over the FTC's regulatory powers is an attempt to distract from the real issues of the case.
“LabMD seeks a stay because it wishes to forestall an evidentiary hearing regarding allegations that it unjustifiably harmed consumers,” FTC attorneys wrote in a brief filed with the 11th U.S. Circuit Court of Appeals in Atlanta. LabMD had asked the 11th Circuit to delay the FTC trial, but the court issued a one-sentence order denying the request (PDF), allowing the hearing to move forward.
The FTC wants to have an administrative law judge order LabMD to implement an information security program that would be evaluated by an independent monitor for 20 years, and to provide notice to the consumers whose data has already been compromised.
LabMD analyzes patient medical samples sent in from across the country and maintains detailed spreadsheets of patients' personal data, including, in some cases, bank account numbers along with Social Security and health information. The FTC says one file with data on 9,000 people ended up on the file-sharing service Limewire in 2008, and another LabMD file with information on 500 people was “found in the hands of identity thieves” in 2012.
The complaint against LabMD (PDF) accuses the company of violating the Federal Trade Commission Act's prohibition against “unfair acts or practices” by failing to protect consumers' personal information. Specifically, LabMD allegedly failed to maintain a data-security program or take steps to identify common security risks. The company is also accused of failing to adequately train its employees on data security and use readily available technology to prevent and detect unauthorized access to personal information.
LabMD responded by saying in court records that the practices alleged by the FTC were unlikely to “cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and not outweighed by the countervailing benefits to consumers or to competition.” The company also noted that the FTC hadn't published any rules or regulations clarifying what data-security practices the FTC Act requires or forbids.
HHS' Office for Civil Rights has published extensive guidance on the data-security requirements for any person or entity that maintains protected health information. HHS generally enforces those rules, sometimes in cooperation with the U.S. Justice Department.
The FTC, however, has increasingly asserted a role in policing healthcare data security, reaching dozens of consent agreements with companies. In recent years, the FTC also has worked in tandem with HHS on healthcare privacy cases, beginning with a case against CVS Caremark that yielded a $2.25 million settlement.
“The FTC is over-regulating in this area because explicit authority to regulate data security obligations of healthcare providers such as LabMD has been delegated to the United States Department of Health and Human Services, who has exercised that authority and adopted data security regulations for healthcare providers,” LabMD attorneys wrote in their motion for emergency relief to the 11th Circuit.
The FTC's administrative trial is expected to last at least a week, perhaps more. If the administrative judge issues a sanction against LabMD, the company can then appeal that order to a federal court.
Follow Joe Carlson on Twitter: @MHJCarlson