A recent ruling against the Federal Trade Commission might make it more difficult for the agency to bring and win cases against healthcare companies involved in data breaches, legal experts say.
The FTC alleges that clinical testing laboratory LabMD harmed consumers by using inadequate data security methods. An independent FTC administrative law judge, however, ruled that the agency failed to prove that harm. The judge dismissed the case.
The FTC first filed the complaint against LabMD in 2013 alleging that poor security led to two breaches, including one in 2008 when personal information was available on a peer-to-peer file-sharing network. The second alleged incident occurred in 2012 when LabMD data was found in the possession of individuals who pleaded “no contest” to charges of identity theft.
“At best, (FTC counsel) has proven the 'possibility' of harm, but not any 'probability' or likelihood of harm,” wrote Michael Chappell, a chief administrative law judge.
Jessica Rich, director of the FTC's Bureau of Consumer Protection, released a statement that expressed disappointment in the ruling and said FTC staff are considering their next steps. FTC officials could appeal the ruling to the agency's commissioners.
The ruling sets the bar relatively high in terms of the type of harm the FTC must prove if it wants to punish companies that are victims of hacking, said Alan Friel, a partner at BakerHostetler.
A number of healthcare companies have experienced data breaches recently. Earlier this year, Anthem was the victim of a cyberattack that exposed the personal information of 80 million current and former members. In May 2014, Premera Blue Cross was victim of a cyberattack that penetrated a system containing the records of 11 million customers.
Healthcare companies should, however, still be concerned about failing to meet privacy and security requirements under the Health Insurance Portability and Accountability Act, a federal law to protect patient privacy, Friel said.
Typically, HHS' Office for Civil Rights handles healthcare data breaches because such breaches fall under HIPAA. Friel said the FTC will now likely be more selective in pursuing data breach cases as the judge's recent decision gives companies more ammunition to push back.
Lisa Clark, a partner at Duane Morris, said this case helps clarify the FTC's authority and the burden of proof. But Ken Dort, a partner at Drinker Biddle & Reath, believes larger implications of the case may lie further in the future, after the FTC commissioners respond.
If FTC officials appeal the case to the commissioners, and commissioners reverse the judge's decision, Dort said it would open up the doors to more activity.
On the other hand, if the commissioners were to uphold the decision, it would send a message that the FTC will only narrowly define what constitutes harm in future cases, he said.
The administrative law judge also noted in his decision that the FTC began investigating LabMD after being notified of potential issues by Tiversa, an intelligence services company. According to LabMD, Tiversa discovered that one of LabMD's reports containing personal information was available on a peer-to-peer file-sharing network, and then offered its services to LabMD to remediate the breach. Tiversa reported the issue to the FTC after LabMD declined to purchase its services.
"Tiversa has never been a party to this matter, but we have sadly been dragged into this case as LabMD sought to blame others for its admitted mistakes," according to the statement. "We have acted appropriately and legally in every way with respect to LabMD, despite their efforts to besmirch our reputation. "
