A small diagnostics company in Georgia is challenging the Federal Trade Commission’s authority to regulate health data breaches in a dispute that could shape the future of federal health privacy regulation.
In 2008, the Atlanta-based LabMD was contacted by an IT security firm, Tiversa, that said it accessed the lab’s billing information online, after an employee violating company policy used the peer-to-peer file-sharing software Limewire to listen to music.
Tiversa told LabMD it was able to obtain a file through Limewire with the personal data of about 9,300 LabMD customers, including their Social Security numbers, and then sought a service agreement with the lab, according to LabMD's court filings.
When LabMD turned down that offer, the company maintains that Pittsburgh-based Tiversa brought the file to the FTC, which has been investigating the incident ever since and, after failing to secure a consent agreement with the lab, launched an administrative complaint in August.
While the FTC has not alleged wrongdoing, the agency maintains that LabMD had “fundamental, systemic security failures that put at risk consumers’ sensitive personal and health information,” with the information of about 500 customers later found in the hands of identity thieves in Sacramento, California.
While LabMD leaders corrected the initial problem of Limewire running on an employee's computer and said they have cooperated with many of the FTC’s information requests, they’re now trying to end the investigation, recently asking an administrative law judge to invalidate 35 subpoenas the FTC issued for documents and testimony from current and former LabMD employees, clients and IT providers.
“From the outset of the FTC’s investigation, the Commission has exerted authority it does not have to punish a business that has done nothing wrong,” said Dan Epstein, executive director of Cause of Action, a nonprofit representing LabMD that “fights to protect economic opportunity when federal regulations, spending and cronyism threaten it.”
Cause of Action and LabMD argue that Congress authorized only one agency to regulate personal health information, the Department of Health and Human Services, and that Section 5 of FTC Act, covering “unfair acts and practices,” does not apply to patient health data.
“No court has ever said that Section 5 authorizes the FTC to regulate patient information data-security practices, or any other data-security practices, for that matter,” said Reed Rubinstein, Cause of Action’s litigation VP and a lawyer with the firm Dinsmore & Shohl. “Despite the Commission’s repeated requests, Congress has refused to confer upon the FTC jurisdiction over such data-security cases,” Rubinstein said.
In response, FTC lawyers argue that the issue of LabMD’s apparent breach “fits squarely within” the agency’s “broad mandate.” They also noted that the FTC has brought close to 50 data security cases against companies since 2000, with 18 of them alleging unreasonable security practices as unfair under the FTC Act’s Section 5.
“It is true that the statute does not specifically mention data security,” but it also
does not specifically mention other consumer issues that the agency has long pursued under Section 5, including online check drafting, the sale of telephone records, breach of contracts and telephone billing, FTC lawyers wrote.
And, they added, neither HIPAA nor HITECH give HHS exclusive authority to ensure the security of consumers health information. “Rather, the statutory framework provides the FTC and HHS with concurrent and complementary jurisdiction to protect consumers’ sensitive health information.”
As part of its initial complaint, the FTC is asking LabMD to agree to implement a comprehensive information security program that would be evaluated by a certified third party every two years for the next two decades — a proposal that LabMD leaders have turned down and described as overly onerous.
How judges end up ruling in the case could impact the FTC’s online consumer protection agenda, just as digital consumer information proliferates through e-commerce and as healthcare organizations adopt digital data as the norm. Another company, Wyndham Hotels, is also challenging the FTC’s authority to regulate data integrity, after Russian hackers allegedly accessed the hotel chain’s customers credit and debit card numbers.
A paring back of the FTC’s ability to police digital health data security, though, might not necessarily leave consumers vulnerable, since HHS’s Office of Civil Rights has been levying fines for data breaches large and small.