HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority | LabMD Case
On August 29, 2013, The Federal Trade Commission filed a complaint against medical testing laboratory LabMD, Inc. alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information.
Less than six months later, in a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter. The company has decided to wind down operations according to its press release dated January 28, 2014, entitled FTC ACTIONS FORCE LABMD TO WIND DOWN OPERATIONS.
I spoke to Mr. Daugherty on Saturday, February 1st about the FTC actions and his plans. He recently wrote a book, “The Devil Inside the Beltway”, telling the story of LabMD’s journey through the FTC process. The book exposes a systematic and alarming investigation by one of the US Government’s most important agencies. Mr. Daugherty indicated he plans to speak out publicly on his ordeal and write additional books to help other small business avoid LabMD’s experience.
The original complaint alleged LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of more than 500 consumers were found in the hands of identity thieves.
The case is part of an ongoing effort by the Commission to ensure companies take reasonable and appropriate measures to protect consumers’ personal data. Many argue — including LabMD –the FTC is overstepping its bounds and becoming hyper-vigilant in the absence of FTC regulations around data security.
Mr. Daugherty responded, “The FTC does not know — –nor can they prove — if or where our file got out or else they are refusing to tell us.” He had further comments on what kind of P2P protections were available at the time in question. “Hindsight is always 20/20. P2P risks were not widely known in 2008 and millions of files leaked as late as 2009 per congressional testimony. This is a story about doing it right and still getting screwed. Many vulnerabilities today are unknown and in 2018 the FTC will say you should have known them based on their term “reasonably foreseeable”. We believe in knowledgable power, not compliance by fear.”
The Biggest Lesson Learned: Covered Entities and Business Associates Need to Identify and Manage Risk Related to Any Personally Identifiable Information Stored, Maintained or Transferred
HIPAA Covered Entities and Business Associates need to consider all sources of risk and liability related to safeguarding sensitive information whether it is Protected Health Information (PHI) or any other Personally Identifiable Information (PII). Any such information stored, maintained or transferred is at risk. To identify potential liabilities and put an effective risk management plan in place it is important to ask the following kinds of questions:
- Do you have compliance obligations which overlap with HIPAA Privacy, Security and Breach Notification Rules such as Meaningful Use Attestation, or CMS or Insurance Exchange privacy requirements?
- Do you handle any “super PHI” (e.g., drug and alcohol addiction, STD, psychotherapy notes) which is subject to even more stringent requirements?
- If your company is a publicly traded organization, is the company meeting Securities and Exchange Commission (SEC) requirements?
- Could you be liable for enforcement action by the Federal Trade Commission (FTC) for unfair or deceptive practices under Section 5 of the FTC Act?
- Is your State Attorney General active in enforcement of state and federal Privacy and Security regulations?
- Are you subject to a whistleblower filing a complaint under the False Claim Act?
- Have you completed pre-emption analyses for all states / jurisdictions in which you operate?
- Are you compliant with all applicable state breach notification laws?
- Are you or your colleagues subject to sanctions under professional ethics provisions of your associations or other affiliations?
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – What Level of Detail is Adequate? - April 29, 2017
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017