HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority

HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority | LabMD Case

On August 29, 2013, The Federal Trade Commission filed a complaint against medical testing laboratory LabMD, Inc. alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information.

Less than six months later, in a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter.   The company has decided to wind down operations according to its press release dated January 28, 2014, entitled FTC ACTIONS FORCE LABMD TO WIND DOWN OPERATIONS.

Here’s today’s big RISK ANALYSIS TIP – Complete Analysis of All Other Potential Sources of Risk and Liability

I spoke to Mr. Daugherty on Saturday, February 1^st about the FTC actions and his plans.  He recently wrote a book entitled “The Devil Inside the Beltway”.  The book tells the story of LabMD’s journey through the FTC process and exposes a systematic and alarming investigation by one of the US Government’s most important agencies.  Mr. Daugherty has indicated that, at least in the short term, he plans to speak out publicly on his ordeal and write additional books that are aimed at helping other small business from experiencing what LabMD experienced.

The original complaint alleged that LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves.

The case is part of an ongoing effort by the Commission to ensure that companies take reasonable and appropriate measures to protect consumers’ personal data.  Many argue, including LabMD, that the FTC is overstepping its bounds and becoming hyper-vigilant in the absence of specific rules and regulations around data security.  I asked Mr. Daugherty to comment and he provided the following statement:

“The biggest  issue is that we did all this and it didn’t matter one bit.  There are no standards or rules and the FTC argues they don’t need any. Their efforts are a waste as Snowden walked out with a thumb drive. 

The FTC does not know nor can they prove if or where our file got out or else they are refusing to tell us. Hindsight is always 20/20. P2P risks were not widely known in 2008 and millions of files leaked as late as 2009  per congressional testimony. This is a story about doing it right and still getting screwed.  Many vulnerabilities today are unknown and in 2018 the FTC will say you should have known them based on their term “reasonably foreseeable”. 

We believe in knowledgable power, not compliance by fear.” 

The Biggest Lesson Learned: Complete Analysis of All Other Potential Sources of Risk and Liability

HIPAA Covered Entities and Business Associates need to consider all their sources of risks and liabilities as it relates to safeguarding all sensitive information whether it is Protected Health Information (PHI) or any other Personally Identifiable Information (PII).  For example, in addition to the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) enforcement actions, it is important to ask these kinds of questions:

1. Do you have compliance obligations that overlap with HIPAA Privacy, Security and Breach Notification Rules such as Meaningful Use Attestation? CMS or Insurance Exchange privacy requirements?
2. Do you handle any “super PHI” (e.g., Drug and Alcohol addiction, STD,Psychotherapy notes and is it subject to even more stringent requirements?
3. Are you subject to a whistleblower filing a complaint under the False Claim Act?
4. Have you completed pre-emption analyses for all states / jurisdiction in which you operate?
5. Are you compliant with all applicable state breach notification laws?
6. Are you or your colleagues subject to sanctions under professional ethics provisions of your associations or other affiliations?
7. If your company a publicly traded organization subject to reporting and disclosure requirements by the Securities and Exchange Commission (SEC), are you meeting those requirements?
8. Could you be liable for enforcement action by the Federal Trade Commission (FTC) for unfair or deceptive practices under Section 5 of the FTC Act?
9. Is your State Attorney General active in enforcement of state and federal Privacy and Security regulations?

• About
• Latest Posts

Bob Chaput

CEO at Clearwater Compliance

Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.

Latest posts by Bob Chaput (see all)

• HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
• HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
• HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017