Is the Federal Trade Commission (FTC) – the agency that is supposed to protect consumers from unfair business practices – itself engaging in unfair practices in its treatment of LabMD? Who protects us from over-zealous regulators?
Back in the Day
In the second half of the last decade, we all began hearing more reports of inadvertent exposure of consumer and patient data via P2P file-sharing errors. And like hundreds of other entities, LabMD, a small cancer diagnostic laboratory in Georgia, discovered that despite its security program and efforts, some patient information was exposed because an employee violated policy and installed a file-sharing program on her work station. LabMD learned of the exposure in May 2008, when it was contacted by Tiversa. At the time, Tiversa was engaged in federally supported research with Eric Johnson of Dartmouth College on P2P exposures and was scouring the Internet using sophisticated software to uncover exposed files.
What happened next is partly in dispute, although LabMD reports that Tiversa offered to remediate the problem they had reportedly found if LabMD hired them, which LabMD declined to do. LabMD claims that Tiversa never gave them detailed information about what they found and where they found it, even though LabMD requested the information. It was only years later, in Tiversa’s first amended complaint in a defamation lawsuit it filed against LabMD, that LabMD learned:
The File was not downloaded by Tiversa from a LabMD computer. Instead, the first time Tiversa downloaded the File was from a computer located in San Diego. Thereafter, as part of its services for various clients, Tiversa downloaded the File three additional times from computers located in Arizona, Costa Rica, and London.
It’s not clear, however, what information about the file and their findings Tiversa provided to the FTC or when they may have provided it. All the public knew was that in 2009, the Dartmouth study was released, and media references all mentioned a “1,718” file. The media reports did not name LabMD as the source of the file, but it was their file that was often cited as an example of P2P problems, despite the fact that there seemed to be many more bigger and even more concerning incidents. For example, Computerworld reported at the time about Eric Johnson’s research:
Nor did he [Johnson] need to ransack a health care facility to lay his hands on more than 350MB of sensitive patient data for a group of anesthesiologists or to get a spreadsheet with 82 fields of information on more than 20,000 patients belonging to a health system.
What anesthesiology group was that and what health system? Did the FTC ever investigate them or file a complaint against them over their data security? According to other media reports, the health system’s spread sheets included patients’ Social Security numbers, contact details, insurance records, and diagnosis information. That sounds like more than what was involved in the LabMD exposed file.
So why did the FTC go after LabMD and not other health care entities that exposed protected health information (PHI)?
And should they have gone after any HIPAA-covered entities at all?
Where’s the Fair Notice?
The issue of fair notice has been raised by both Wyndham and LabMD in their cases. I’m only going to focus on the LabMD case, where I don’t think there was any notice at all for HIPAA-covered entities, much less “fair notice” as to what standards the FTC was using in 2008 or before the time of LabMD’s P2P incident.
How many HIPAA-covered entities knew in 2008 that we were also required to comply with the FTC Act? I certainly didn’t know. Did you? Indeed, when I recently searched a number of websites that offer advice to medical/health care entities about compliance with the law, not one of them mentioned the FTC Act prior to 2008. They all talked about HIPAA but made no mention of the FTC Act. And when my lawyer sent me forms and materials to help me comply with federal and state laws, he didn’t mention the FTC Act, either. If those with expertise on compliance for health care sector entities did not even mention the FTC Act, it’s possible (likely?) that even the experts didn’t realize that the FTC would claim authority to enforce data security for HIPAA-covered entities.
So between 1996 and early 2009 when the FTC announced a settlement with CVS, I had no idea that my data security for patient data might be reviewable by the FTC. But even when the FTC announced the CVS settlement and then later, another settlement with Rite Aid, I still wasn’t particularly concerned because in both those cases, there had been violations of HIPAA that HHS had taken enforcement action over. Never did I envision that the FTC might go after a HIPAA-covered entity when HHS didn’t see a problem. And if I didn’t know that as a conscientious practitioner, I can easily believe that other HIPAA-covered entities had no idea, either. Why did no one ever tell us?
I realize there are those who might say that it’s on us to know that we are covered by the FTC Act. And in the FTC’s filings in the LabMD case, they claim that they had been warning entities since 2005 about the risks of P2P, although their first actual guidance, published on their site, is copyrighted 2010, years after LabMD’s incident. But even if they did publish anything — and this week’s ALJ order should now permit LabMD to depose the Deputy Director of the Consumer Protection Bureau on data security standards FTC employed from 2005 – 2010 — how would a HIPAA-covered entity be expected to know in May 2008 that they were subject to FTC data security enforcement? Why would a HIPAA-covered entity even be reading the FTC’s publications if we had no knowledge that the FTC Act applied to us at all?
Is it fair to hold an entity responsible for compliance with a law that HIPAA-covered entities didn’t even know applied to us? I don’t think so.
Is it fair to hold an entity responsible for complying with a law when neither Congress, nor HHS, nor the FTC had previously made explicitly clear that FTC’s authority to enforce data security standards applies to HIPAA-covered entities? I don’t think so.
I don’t challenge or disagree with the FTC’s position that the FTC Act and HIPAA/HITECH can be implemented and enforced in a complementary way. Nor do I challenge their discretion to decide what cases to pursue and what cases not to pursue (although clearly I think they would be well-advised to let me guide them on what breaches they should pursue!). I do, however, challenge any claims that HIPAA-covered entities should have known about the FTC’s authority to enforce data security and what the FTC might consider reasonable and commercially available security prior to any clear statement from the agency, Congress, or HHS asserting and explaining the scope of their authority.
Refusal to Cave Costs LabMD Their Business
Rather than comply with what it considered unwarranted and unreasonable demands, LabMD decided to fight the FTC. The FTC action resulted in them losing their insurance, incurring approximately $500,000 in costs (so far), and ultimately, losing their business under the crushing burden of the litigation.
Is it good for patient privacy and data security to have a lab that HHS never investigated – because there was no reportable breach and HHS received no complaints about the incident – fold under the extraordinary financial burden of an FTC investigation? I don’t see how. Yes, the second data security incident involving LabMD day sheets may have been associated with consumer/patient harm if the information was used for identity theft or fraud, but unless the FTC plans to investigate tons of cases where copies of paper records with PII or PHI are found in possession of criminals, what was and is the point of its investigation and complaint against LabMD – a process that it initiated well before it even knew about the day sheets incident?
Where Do We Go From Here?
Every day, and as analyses of data breaches confirm, human beings screw up. Personal information is exposed, and in some cases, misused to the harm of consumers or patients. But should every human error put an entity at risk of costly litigation or a 20-year compliance plan? Where do we draw the line? Where does the FTC draw its lines?
Even if FTC were to drop its complaint against LabMD – and in the interests of genuine fairness, I think it should – LabMD has already been destroyed. Sadly, the agency tasked with preventing unfair practices has itself seemingly engaged in unfair practices here. How can the business they have harmed be made whole again if objective people look at the situation as it was in 2008 and agree that there was no fair notice, no harm reported by patients, and that LabMD’s data security program and policies were consistent with standard practice for that time and type of organization?
If the FTC doesn’t drop its litigation and LabMD prevails in the administrative complaint, the FTC will likely find itself with more entities who refuse to settle complaints. And if LabMD prevails in its lawsuit against the FTC in federal court in Georgia, that will be even worse for the FTC. Although the FTC survived Wyndham’s motion to dismiss, the Wyndham case has a long way to go, and the FTC is on much shakier ground, I think, in the LabMD case.
What’s that adage about hard cases making bad law? In my opinion, FTC’s action against LabMD was a poor decision on its part. I wish they would just step up to the plate and acknowledge that. And then, perhaps, we can have a conversation between the FTC and stakeholders about where the FTC can and should go from here on enforcing data security so that it does protect patients more from unfair and/or deceptive practices.
And I would be happy to collaborate with them on developing a guidance for solo practitioners like myself, who generally do not have the IT staff nor resources of larger organizations. What does the FTC expect from us? How can we be confident we are complying with the FTC Act if being in compliance with HIPAA and HITECH may not be enough to protect us from an FTC enforcement action?