Latest Legal Twists in FTC, LabMD Saga

Two Recent Rulings Potentially Affect FTC Trial Proceedings
Latest Legal Twists in FTC, LabMD Saga

Two recent legal decisions added more twists and turns in the ongoing battle between the Federal Trade Commission and LabMD over the medical test lab's alleged data security practices.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

An evidentiary hearing - also called a FTC administrative trial - that began on May 20 but has been on hold since June isn't likely to resume until sometime in October at the earliest, based on a ruling last week by an FTC administrative judge. The evidentiary hearing was slated to consider issues such as whether the FTC should move forward with an enforcement order against LabMD related to the lab's data security practices.

The judge ruled that the House Committee on Oversight and Government Reform, which is on recess until Sept. 1, has until Oct. 1 to decide whether to grant immunity to a key witness in the FTC case against LabMD (see Examining FTC Data Security Enforcement).

The witness is a former employee of Tiversa, the Pittsburgh-based data security firm that in 2008 allegedly found a LabMD spreadsheet containing insurance billing information for 9,000 individuals on a peer-to-peer network. The witness provided information to the House committee at an earlier closed session about the security firm's business practices.

The FTC judge ruled that if the House Oversight Committee does not grant immunity to the Tiversa witness for the FTC case, LabMD then has up to five additional days to request immunity for the witness under the FTC's "rule 3.39."

FTC had filed court documents on Aug. 5 pushing to resume the evidentiary hearing sooner. The evidentiary hearing had been on hold since June while the Oversight Committee decides whether to grant immunity to the Tiversa witness (see LabMD Seeks Sanctions Against FTC).

Appeals Court Ruling

Meanwhile, the Eleventh Circuit appeals court has agreed to hear oral arguments related to an earlier federal court decision in the LabMD dispute.

In May, Judge William Duffey of the U.S. District Court for the Northern District of Georgia, Atlanta division, had dismissed two LabMD motions: to have the FTC's administrative action against the former lab tossed out, and to stop the FTC evidentiary hearing about LabMD's data security practices from starting on May 20.

Duffey's decision said that the federal court didn't have jurisdiction to stop the FTC evidentiary hearing, and that LabMD would need to wait until after the completion of that hearing and a decision by the FTC court before the lab could appeal to a federal court.

But the appeals court "is going to look at Judge Duffey's decision that [said] he can't rule yet ... and decide if they agree or not," LabMD CEO Michael Daugherty tells Information Security Media Group.


Michael Daugherty

Due to court backlogs, it could take up to one year for the court of appeals to hear oral arguments, Daugherty says, and by that time, the FTC evidentiary hearing could be over. However, Daugherty hopes that won't be the case. "I don't expect the trial to restart for a long time ... if ever," he says.

The Dispute

The legal dispute centers on a complaint filed by the FTC against LabMD last August, alleging the Atlanta-based lab firm failed to protect consumer health data in two separate incidents - one in 2008 and another in 2012. FTC alleges the incidents - including the one supposedly discovered by Tiversa - collectively exposed the personal information of approximately 10,000 consumers (see LabMD CEO Describes His Beef With FTC). Daugherty has argued that the FTC is overstepping its authority in the investigation.

The commission had proposed an order against LabMD that would "require the company to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."

LabMD shut down its operations earlier this year citing the ongoing battle with FTC and the resources the legal fight required (see Lab Shutting Down In Wake of FTC Case).

An FTC spokesman tells ISMG that the commission has no comment on the latest court developments in the case.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.