Breach Response , Cybersecurity , Data Breach

LabMD Again Seeks FTC Case Dismissal

Medical Testing Lab Alleges Bias by Commission
LabMD Again Seeks FTC Case Dismissal

As the May 5 resumption of a hearing to consider the Federal Trade Commission's security case against LabMD approaches, the company has launched two more legal maneuvers. Those include yet another motion to have the FTC's case against the medical lab testing firm dismissed, and a separate request to have an FTC commissioner removed from ever considering the case.

See Also: Live Webinar | Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level

In a motion filed April 24 with the office of the FTC administrative law judge, which is hearing the LabMD case, the lab firm asks for dismissal, alleging it won't receive a fair decision.

"The FTC owes LabMD a constitutional duty of impartiality free from the taint of bias, prejudice or pre-decision," the motion to dismiss says, alleging "misconduct" by the FTC in its handling of the case

The lab firm has previously unsuccessfully sought to have the case dismissed, citing a variety of other reasons (see LabMD Seeks Sanctions Against FTC).

Attorney Reed Rubinstein, senior vice president of litigation at Cause of Action, a not-for-profit organization providing LabMD's counsel in the case, tells Information Security Media Group that the latest motion to dismiss was filed, in part, "to make the record complete" if LabMD eventually appeals a ruling in the case.

Dispute Details

The dispute centers on an FTC complaint filed against LabMD in August 2013, alleging the Atlanta-based lab firm failed to protect consumer health data in two separate incidents. The FTC alleges the incidents - including the one allegedly discovered by a peer-to-peer security firm Tiversa - collectively exposed the personal information of approximately 10,000 consumers.

However, an investigation last summer by the House Committee on Oversight and Government Reform called into question the completeness and accuracy of the information that Tiversa provided to the FTC about company allegedly discovering in 2008 a LabMD spreadsheet containing insurance billing information for 9,000 individuals on a peer-to-peer network. The Congressional committee also questioned the FTC's reliance on Tiversa "as a source of information" in FTC's decision to launch is enforcement action against LabMD related to data security (see LabMD Case: House Committee Gets Involved).

Motion to Disqualify

The second motion filed by LabMD last week seeks to have FTC Chairwoman Edith Ramirez disqualified from making decisions in the LabMD case.

"LabMD respectfully moves to disqualify Commissioner Edith Ramirez because she has been irrevocably tainted and compromised by her involvement in the FTC's response to the Committee on Oversight and Government Reform investigation of Tiversa," the motion says.

Regarding the lab firm's motion, Michael Daugherty, LabMD's CEO, tells ISMG, "As LabMD seeks government accountability and justice, we take a very dim view of Chairwoman Ramirez's behind the scenes contacts with the House and Senate to intervene in the oversight of Tiversa and the Federal Trade Commission."

Rubinstein says another FTC commissioner, Julie Brill, in December 2013 "voluntarily" recused herself from the LabMD case amid allegations of bias against LabMD related to statements she made about the dispute during various speeches.

If Ramirez is disqualified from the dispute, that will leave three FTC commissioners to rule on the case if a decision by the FTC chief administrative law judge, Michael Chappell, who is presiding over the administrative hearing, is appealed, Daugherty says.

FTC's Complaint

Besides the spreadsheet allegedly found by Tiversa on a peer-to-peer network, the FTC's case against LabMD also points to a second incident, in which the commission alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," says the FTC complaint.

The commission had proposed an order against LabMD that would "require the company to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."

LabMD has argued that the FTC was overstepping its authority in the data security investigation and issuing the proposed order. The lab firm has taken a number of legal actions over the last two years in an attempt to refute the FTC's case.

In January, the Eleventh Circuit Federal Court ruled that LabMD must first wait for the FTC administrative court to make a decision in its trial before a federal court can review the issue of whether the FTC had authority in the case.

FTC vs. HHS Jurisdiction

Rubinstein says a key lesson that other covered entities and business associates that handle protected health information should learn from the LabMD case is to pay close attention "to whether the regulatory return address in a privacy or security related matter is the Department of Health and Human Services or FTC." That's because "unlike HHS, FTC has no rules or expertise" in how it determines if an alleged data privacy or security incident involving PHI is a violation to pursue a potential enforcement action, Rubinstein contends.

The FTC commissioners had previously rejected LabMD's contention that because the lab is a HIPAA covered entity, the FTC lacked authority to challenge its data security measures. HHS' Office for Civil Rights oversees enforcement of HIPAA security and privacy rule compliance and investigates those breaches. OCR has previously told ISMG that the agency has not launched an investigation of LabMD's compliance with the HIPAA rules.

In an August 2013 statement announcing the complaint against LabMD, FTC said, "the case is part of an ongoing effort by the commission to ensure that companies take reasonable and appropriate measures to protect consumers' personal data."

LabMD's Daugherty has said that resources the company has dedicated in its legal battle with FTC has forced the firm to wind down most of its business operations.

The FTC did not immediately respond to ISMG's request for comment on the latest motions filed by LabMD.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.