Court Allows FTC To Continue Enforcement Action Against LabMD
January 27, 2015 in News
Last week, the 11th U.S. Circuit Court of Appeals dismissed a challenge by LabMD, a cancer-detection services company, to block the Federal Trade Commission’s enforcement action against the company for an alleged health data breach, Health IT Security reports (Snell, Health IT Security, 1/23).
In 2013, FTC filed a complaint against LabMD for two privacy breaches in 2008 and 2012 that affected about 10,000 patients.
In the complaint, FTC wrote that LabMD’s “failure to employ reasonable and appropriate measures to prevent unauthorized access to personal information” violated the agency’s regulations (iHealthBeat, 6/18/14). In response, LabMD argued that FTC’s enforcement action conflicts with health information security regulations under HIPAA, adding that FTC was practicing an “extralegal abuse of government power,” but FTC ruled 4-0 to reject LabMD’s claims.
In March 2014, LabMD filed a lawsuit challenging the agency’s regulatory authority over health data security laws and asked the court to issue a preliminary injunction to block FTC’s enforcement action (iHealthBeat, 3/26/14).
The lower court denied LabMD’s motion, at which point the company appealed to the 11th Circuit Court (National Law Review, 1/22).
However, FTC in June 2014 halted its administrative trial examining the data security practices of LabMD after the House Committee on Oversight and Government Reform notified the agency that Tiversa, a peer-to-peer intelligence and security services firm, might have given inaccurate or untruthful information.
Tiversa told FTC that in 2008 it found a LabMD spreadsheet containing the insurance billing data of 9,000 consumers on an unsecured peer-to-peer network. A second data breach in 2012 brought the number of affected patients to 10,000.
In a June 2014 letter to FTC Chair Edith Ramirez, House Committee on Oversight and Government Reform Chair Darrell Issa (R-Calif.) wrote that “information the committee recently obtained indicates that testimony company officials provided to federal government entities may not be truthful” (iHealthBeat, 6/18/14).
Details of Ruling
Last week, the 11th Circuit rejected LabMD’s motion.
In its ruling, the court said that LabMD must use all administrative remedies available before petitioning to the court to weigh in on FTC’s authority (Pedulli, Clinical Innovation Technology, 1/23).
As a result of the decision, FTC can continue with its enforcement action against LabMD (Health IT Security, 1/23).
However, the 11th Circuit in its ruling did not address whether FTC has the authority to regulate protected health data. The court noted that it will not do so until after LabMD finishes the FTC administrative hearing process.
According to the National Law Review, the case is important because FTC in recent years has brought enforcement actions against several companies for data breaches, even though the FTC Act does not specifically address requirements for maintaining the privacy of health data (National Law Review, 1/22).
According to Health IT Security, the case could potentially help the health care industry by clarifying which entities FTC has jurisdiction over and what data security standards those entities must follow (Health IT Security, 1/23).