{"id":167,"date":"2016-09-15T20:59:20","date_gmt":"2016-09-15T20:59:20","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=167"},"modified":"2016-09-15T20:59:20","modified_gmt":"2016-09-15T20:59:20","slug":"ftc-final-order-against-labmd-the-intersection-of-unfair-practices-privacy-security-and-compliance","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=167","title":{"rendered":"FTC Final Order against LabMD \u2013 The Intersection of Unfair Practices, Privacy, Security, and Compliance"},"content":{"rendered":"

Logan Parker<\/em>
\nPrivacy Editor<\/em>
\nLoyola University Chicago School of Law, LL.M. in Health Law 2017<\/em><\/p>\n

 <\/p>\n

The Federal Trade Commission (\u201cFTC\u201d) issued an Opinion and Final Order<\/a> on July 29, 2016 against LabMD, a now defunct medical testing laboratory<\/a>, for its lax data security practices that constituted an unfair practice under Section 5 of the FTC Act. The FTC directed LabMD to take remediation efforts to ensure LabMD will protect sensitive consumer information going forward.<\/p>\n

The ruling effectively reversed an Administrative Law Judge\u2019s (\u201cALJ\u201d) decision that dismissed FTC\u2019s charges against LabMD. In the unanimous opinion, the FTC stated<\/a> that the ALJ applied the wrong legal standard for unfairness and finds that \u201cLabMD\u2019s security practices were unreasonable, and lacking even basic precautions to protect the sensitive consumer information maintained on its computer system.\u201d<\/p>\n

Unfair Practices under Section 5 of the FTC Act<\/strong><\/p>\n

An act<\/a> may be deemed to be unfair if it causes or is \u201clikely\u201d to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or competition. The FTC\u2019s finding in determining whether LabMD\u2019s actions created an unfair practice under the Act focused on the word \u201clikely.\u201d The FTC read \u201clikely\u201d to mean \u201creasonably to be believed or expected.\u201d The FTC relied on case precedent set in International Harvester<\/em><\/a> and Wyndham<\/em><\/a> to conclude that the FTC does not have to prove that actual harm occurred to bring an Unfair Practices violation, but harm is proved if \u201cthe magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.\u201d<\/a><\/p>\n

LabMD\u2019s Privacy & Security Issues as they relate to an Unfair Practice<\/strong><\/p>\n

In reaching its conclusion, the FTC found<\/a> that LabMD\u2019s lack of security controls led to failures to utilize intrusion detection systems or other forms of file monitoring, including traffic across its firewalls, providing no data security training to its employees, and never deleting any of the consumer data it had collected. The failures also resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information\u201d of close to 10,000 consumers on a peer-to-peer network, accessible to its users for eleven (11) month. This led to the unauthorized disclosure of the information.<\/p>\n

Moreover, the FTC pointed out that this was health data<\/a>. The disclosure of health data can result in greater likelihood of \u201cembarrassment or other negative outcomes including reputational harm\u201d that would be a violation of the Unfair Practices Act under the FTC Act. Improper disclosure could also lead to medical identity theft, which is almost impossible to correct and may result in misdiagnosis and mistreatment leading to direct physical harm. Finally, the Opinion and Final Order noted the importance of timely reporting under the breach notification rules of the Health Insurance Portability and Accountability Act, and how the fact that LabMD never notified consumers of the unauthorized disclosure of their health information limited the harm mitigation efforts the consumer could have pursued if notified properly and on time.<\/p>\n

Due to these inadequacies in LabMD\u2019s security program, FTC ordered the entity to:<\/p>\n