LabMD Files for 'Stay' of FTC Order Pending AppealLatest Legal Maneuver in Complex Data Security Dispute
As it prepares to file an appeal in federal court, LabMD is seeking a "stay" in implementing the Federal Trade Commission's final ruling in a longstanding dispute over the lab's information security practices.
The FTC on July 28 overturned a decision made last fall by its own administrative law judge to dismiss the agency's enforcement case against the now-shuttered medical testing laboratory.
"This case is going to have greater impact on all other companies rather than LabMD," says CEO Michael Daugherty, who has alleged, among other things, that the agency is overstepping its legal authority. The company, which has been fighting the FTC enforcement action since 2013, plans to file its court appeal of the FTC ruling by the late September deadline, he adds.
"This stay request is just a necessary steppingstone out of a biased system that is severely broken," Daugherty tells Information Security Media Group.
Even though Daugherty says LabMD has ceased operating as a result of the resources it poured into battling the FTC, the agency is requiring that the company "reasonably protect the security and confidentiality of the personal consumer information in its possession," according to an FTC statement.
That includes requiring LabMD to establish a comprehensive information security program; obtain periodic independent, third-party assessments over the next 20 years regarding the implementation of the information security program; and notify consumers whose personal information was allegedly "exposed on a peer-to-peer network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms."
In its July ruling, the FTC also notes: "Although LabMD stopped accepting specimen samples and conducting tests in January 2014, LabMD continues to exist as a corporation and has not ruled out a resumption of operations. Moreover, LabMD continues to maintain the personal information of approximately 750,000 consumers on its computer system. Because LabMD continues to hold consumers' personal information and may resume operations at some future time, the order is appropriate and necessary."
Daugherty tells ISMG: "Theoretically, LabMD is still a corporation. Of course we can come back, but there's not a chance in hell that will happen. We can't get insurance. Everyone is gone - including all of our clients - out of fear of the government."
The FTC declined to comment on LabMD's request for a stay.
Latest FTC Action
The July FTC ruling reversed a decision last fall by FTC administrative law judge Michael Chappell to dismiss the FTC Bureau of Consumer Protection's 2013 case against LabMD that alleged the company had failed to protect the security of consumers' personal data, putting them at risk of identity theft.
In dismissing the FTC's case against LabMD, Chappell had said the FTC "failed to prove its case" that two alleged data security incidents at LabMD in 2008 and 2012 caused, or were likely to cause, "substantial injury to consumers," such as identity theft, medical identity theft, reputational harm or privacy harm, and would, therefore, constitute unfair trade practices.
The FTC's complaint against LabMD alleged that the company "failed to reasonably protect the security of consumers' personal data, including medical information." The FTC alleged that LabMD billing information for more than 9,000 consumers was found in 2008 on a peer-to-peer file-sharing network and then, in 2012, LabMD documents containing sensitive personal information on at least 500 consumers were found by police in Sacramento, Calif., in the possession of "identity thieves."
In its ruling, however, the FTC agreed with the administrative law judge's decision that the FTC's counsel did not establish that the Sacramento security incident was caused by deficiencies in LabMD's computer security practices.
Breaking New Ground?
Privacy attorney Kirk Nahra of the law firm Wiley Rein, who is not involved in the case, says LabMD's continuing battle with the FTC is testing new ground. "There's very little precedent in this setting - a longstanding dispute pushed to the full margins of the enforcement process, with a company that is essentially out of business but still fighting hard," he says.
Regarding FTC's demands on LabMD to continue safeguarding patient data, even if the company is no longer operating, the attorney says: "I don't think it is necessarily that hard to protect the data, since they don't need to use it on any ongoing basis.
"Another big question is why they still have it at all. Companies always have to protect the data they have, regardless of whether they are out of business - although that obviously makes enforcement a bit more challenging," he says. "There may be less reason for the 20-year monitoring if they [LabMD] aren't still in existence."
Lessons are emerging from the battle between LabMD and FTC in regards to how any healthcare-related company might be expected to protect patient data - even when its business ceases, says Tom Walsh, CEO of the consulting firm tw-Security.
"There are state and federal laws regarding the retention of certain types of medical information: procedures, test results, images, etc.," says the security specialist, who's not an attorney. "Companies need to spend as much time planning in the failure or closure as they do in the startup. Businesses have a life span; some are longer than others."
Any type of partnership or business relationship agreement needs to include terms about what to do when the company dissolves or goes bankrupt, Walsh notes. "Especially when there is a legal requirement to retain the data for a specified period of time, there needs to be some type of an escrow account established for protection of the data," he says.
Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, notes the FTC action against LabMD is not applying the standards of the HIPAA privacy and security rules. "The HIPAA rules are murky as to continuing obligations to protect patient information once an organization that was a covered entity or business associate ceases operations or faces dissolution," he says.
Instead, the FTC in its ruling concluded that LabMD's data security practices constitute an unfair act or practice that violated Section 5 of the Federal Trade Commission Act.
Despite FTC's dogged pursuit of the data security case against LabMD, the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, has not publicly directed any HIPAA enforcement activities against the lab.
"Legally and ethically, LabMD needs to do whatever it can to protect the data," Walsh says. "Realistically, you cannot squeeze blood out of a turnip. If the company is out of business, how can it pay for data protection in the years ahead?"