The Federal Trade Commission ruled Friday that a clinical laboratory's lax data security practices violated federal law – a decision that some say could mean tougher enforcement for healthcare providers.
The FTC commissioners, in a unanimous vote, found that LabMD's security practices didn't adequately protect consumers' personal, medical information, constituting an unfair practice under the FTC Act. The commission's decision reversed a ruling made last year by an FTC administrative law judge who said the agency had failed to prove harm to consumers.
The commissioners concluded Friday that the administrative judge applied the wrong legal standard for “unfairness.”
“LabMD's security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system,” FTC Chairwoman Edith Ramirez wrote in the commission's opinion.
She wrote that LabMD failed to use an intrusion detection system, didn't monitor traffic coming across its firewalls, gave its employees essentially no data security training and never deleted the consumer data it collected. Those alleged failures exposed the medical and other personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users for 11 months, she wrote.
LabMD CEO Michael Daugherty Friday said he plans to appeal the decision in federal court. He said he's relieved he'll get to argue his case in federal court, away from the FTC's “dirty system.” LabMD went out of business in 2014, after 18 years, due to the drain of fighting the case, Daugherty said.
Daugherty said all healthcare providers should be concerned about the FTC's actions in the case, which should have been handled exclusively by HHS' Office for Civil Right. Typically, HHS' Office for Civil Rights handles healthcare data breaches because such breaches fall under HIPAA.
“If I lose, every healthcare facility in the country loses,” Daugherty said. “They're going to push that they've got jurisdiction to come after healthcare facilities without standards, without notice and over and above Health and Human Services. That's terrifying.”
Alan Friel, a partner at BakerHostetler who is not involved in the case, said it's not unusual for agencies, such as state and federal, to have overlapping jurisdictions. But he said this latest decision “certainly raises the stakes” for healthcare providers.
“There is probably no industry that is as highly regulated for data privacy and security in the United States than the healthcare industry, and this makes it clear that there's yet another cop on the beat,” Friel said.
Still, he said, the standard for the FTC being able to find a practice “unfair” remains high, even after this decision.
The FTC first filed its complaint (PDF) against LabMD in 2013, saying that the lab's poor security led to two breaches. One of those alleged breaches occurred in 2008 when personal information was available on the peer-to-peer file sharing network. The second alleged breach was in 2012 when the lab's data was found in the hands of individuals who pleaded “no contest” to charges of identity theft.
The FTC began investigating LabMD after Tiversa, an intelligence services company, notified it of potential problems. According to LabMD, Tiversa discovered that one of LabMD's reports containing personal information was available on a peer-to-peer file-sharing network and then offered its services to LabMD to fix the breach. Tiversa told the FTC about the issue after LabMD declined to purchase its services, according to LabMD.
Tiversa did not immediately respond to a request for comment Friday, but said in a statement last year on the issue, “We have acted appropriately and legally in every way with respect to LabMD, despite their efforts to besmirch our reputation.”