HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority | LabMD Case
On August 29, 2013, The Federal Trade Commission filed a complaint against medical testing laboratory LabMD, Inc. alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information.
Less than six months later, in a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter. The company has decided to wind down operations according to its press release dated January 28, 2014, entitled FTC ACTIONS FORCE LABMD TO WIND DOWN OPERATIONS.
Here’s today’s big RISK ANALYSIS TIP – Complete Analysis of All Other Potential Sources of Risk and Liability
I spoke to Mr. Daugherty on Saturday, February 1st about the FTC actions and his plans. He recently wrote a book entitled “The Devil Inside the Beltway”. The book tells the story of LabMD’s journey through the FTC process and exposes a systematic and alarming investigation by one of the US Government’s most important agencies. Mr. Daugherty has indicated that, at least in the short term, he plans to speak out publicly on his ordeal and write additional books that are aimed at helping other small business from experiencing what LabMD experienced.
The original complaint alleged that LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves.
The case is part of an ongoing effort by the Commission to ensure that companies take reasonable and appropriate measures to protect consumers’ personal data. Many argue, including LabMD, that the FTC is overstepping its bounds and becoming hyper-vigilant in the absence of specific rules and regulations around data security. I asked Mr. Daugherty to comment and he provided the following statement:
“The biggest issue is that we did all this and it didn’t matter one bit. There are no standards or rules and the FTC argues they don’t need any. Their efforts are a waste as Snowden walked out with a thumb drive.
The FTC does not know nor can they prove if or where our file got out or else they are refusing to tell us. Hindsight is always 20/20. P2P risks were not widely known in 2008 and millions of files leaked as late as 2009 per congressional testimony. This is a story about doing it right and still getting screwed. Many vulnerabilities today are unknown and in 2018 the FTC will say you should have known them based on their term “reasonably foreseeable”.
We believe in knowledgable power, not compliance by fear.”
The Biggest Lesson Learned: Complete Analysis of All Other Potential Sources of Risk and Liability
HIPAA Covered Entities and Business Associates need to consider all their sources of risks and liabilities as it relates to safeguarding all sensitive information whether it is Protected Health Information (PHI) or any other Personally Identifiable Information (PII). For example, in addition to the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR) enforcement actions, it is important to ask these kinds of questions:
- Do you have compliance obligations that overlap with HIPAA Privacy, Security and Breach Notification Rules such as Meaningful Use Attestation? CMS or Insurance Exchange privacy requirements?
- Do you handle any “super PHI” (e.g., Drug and Alcohol addiction, STD,Psychotherapy notes and is it subject to even more stringent requirements?
- Are you subject to a whistleblower filing a complaint under the False Claim Act?
- Have you completed pre-emption analyses for all states / jurisdiction in which you operate?
- Are you compliant with all applicable state breach notification laws?
- Are you or your colleagues subject to sanctions under professional ethics provisions of your associations or other affiliations?
- If your company a publicly traded organization subject to reporting and disclosure requirements by the Securities and Exchange Commission (SEC), are you meeting those requirements?
- Could you be liable for enforcement action by the Federal Trade Commission (FTC) for unfair or deceptive practices under Section 5 of the FTC Act?
- Is your State Attorney General active in enforcement of state and federal Privacy and Security regulations?
Risk Analysis Resources Are Available to You Now
Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Wanna be even more hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
- Attending a HIPAA Compliance BootCamp™
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: http://www.twitter.com/ClearwaterHIPAA
- Subscribing to our eNewsletter: http://clearwaterc.wpengine.com/newsletters/
- Subscribing to our RSS feed: Clearwater HIPAA Compliance Blog
- Checking our company web site: http://clearwaterc.wpengine.com/
- Attending a HIPAA HITECH live webinar: http://clearwaterc.wpengine.com/webinars/upcoming-live-webinars/
- Viewing a pre-recorded webinar:
Bob Chaput
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017
[…] Another company, LabMD, recently shut down operations over the FTC’s investigation and is also challenging FTC authority/jurisdiction. […]
The case is part of an ongoing effort by the Commission to ensure that companies take reasonable and appropriate measures to protect consumers’ personal data.