FTC Final Order against LabMD – The Intersection of Unfair Practices, Privacy, Security, and Compliance

Logan Parker
Privacy Editor
Loyola University Chicago School of Law, LL.M. in Health Law 2017

 

The Federal Trade Commission (“FTC”) issued an Opinion and Final Order on July 29, 2016 against LabMD, a now defunct medical testing laboratory, for its lax data security practices that constituted an unfair practice under Section 5 of the FTC Act. The FTC directed LabMD to take remediation efforts to ensure LabMD will protect sensitive consumer information going forward.

The ruling effectively reversed an Administrative Law Judge’s (“ALJ”) decision that dismissed FTC’s charges against LabMD. In the unanimous opinion, the FTC stated that the ALJ applied the wrong legal standard for unfairness and finds that “LabMD’s security practices were unreasonable, and lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.”

Unfair Practices under Section 5 of the FTC Act

An act may be deemed to be unfair if it causes or is “likely” to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition. The FTC’s finding in determining whether LabMD’s actions created an unfair practice under the Act focused on the word “likely.” The FTC read “likely” to mean “reasonably to be believed or expected.” The FTC relied on case precedent set in International Harvester and Wyndham to conclude that the FTC does not have to prove that actual harm occurred to bring an Unfair Practices violation, but harm is proved if “the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”

LabMD’s Privacy & Security Issues as they relate to an Unfair Practice

In reaching its conclusion, the FTC found that LabMD’s lack of security controls led to failures to utilize intrusion detection systems or other forms of file monitoring, including traffic across its firewalls, providing no data security training to its employees, and never deleting any of the consumer data it had collected. The failures also resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information” of close to 10,000 consumers on a peer-to-peer network, accessible to its users for eleven (11) month. This led to the unauthorized disclosure of the information.

Moreover, the FTC pointed out that this was health data. The disclosure of health data can result in greater likelihood of “embarrassment or other negative outcomes including reputational harm” that would be a violation of the Unfair Practices Act under the FTC Act. Improper disclosure could also lead to medical identity theft, which is almost impossible to correct and may result in misdiagnosis and mistreatment leading to direct physical harm. Finally, the Opinion and Final Order noted the importance of timely reporting under the breach notification rules of the Health Insurance Portability and Accountability Act, and how the fact that LabMD never notified consumers of the unauthorized disclosure of their health information limited the harm mitigation efforts the consumer could have pursued if notified properly and on time.

Due to these inadequacies in LabMD’s security program, FTC ordered the entity to:

  • Establish a comprehensive information security program;
  • Obtain periodic independent, third party assessments regarding the implementation of the information security program; and
  • Notify those consumers whose personal information was misappropriated.

FTC’s Authority

An interesting question of agency authority arises in this case due to the mere fact that the consumer information at issue here is health data. Health information breaches typically fall within the jurisdiction of the Health and Human Services’ (“HHS”) Office for Civil Rights. FTC expanding such jurisdiction over these types of cases could lead to further confusion in the future with notification standards, if FTC differs in its approach with HHS. However, intersections in different agencies’ authority are not uncommon.

Appeal & Stay

LabMD has 60 days from service of the Opinion and Final Order to appeal. An appeal seems very likely with LabMD CEO Michael Daugherty saying that he’s relieved to argue his case in federal court, away from the FTC’s “dirty system.” Further evidence of an impending appeal came at the end of August 2016, when LabMD filed its Application for a Stay of the Final Order of the FTC.

Lessons Learned

Although this case is still evolving and the outcome is not yet determined, important yet basic elements of a compliance program could have helped prevent litigation at the out-set, such as having proper standards and procedures, adequate training, consistent and effective monitoring, and rapid response and prevention tactics. Healthcare providers should assess and update their privacy and data security policies and programs regularly to make improvements, as well as prepare for incidents such as those in this case. Finally, it is important to keep up-to-date on this developing case as this could mean tougher enforcement for providers in the future, amongst other things.