DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

No southern comfort for the FTC in a Georgia federal court?

Posted on May 12, 2014 by Dissent

If federal judge William S. Duffey, Jr.  in the Northern District of Georgia decides his court has jurisdiction to hear LabMD’s challenge to the FTC’s authority to enforce data security for HIPAA-covered entities, the FTC may be in for a bumpy ride.

In a hearing on May 7, Judge Duffey noted how burdensome consent orders with 20 year monitoring can be, and he pointed out how if that was the FTC’s opening salvo or offer to LabMD, he could understand why LabMD would view it as unreasonable and how the proceedings had become so acrimonious. From a copy of the transcript, obtained by PHIprivacy.net:

And, Mr. Gorji, if you submitted to them a consent order — and I’m not going to consider that; I don’t think it’s important — but it does tell me something about your agency if you say we want twenty years’ worth of monitoring and even suggested that was reasonable concerning this company. No wonder you can’t get this resolved, because if that’s the opening salvo, even I would be outraged, or at least I wouldn’t be very receptive to it if that’s the opening bid.

I don’t think you believe that this is a company that willy-nilly allows information to be disclosed. I also believe that you don’t think, if you remove yourself from the nits and gnats of this dispute, that you would say it was a good idea to make this provider unavailable to patients.

There aren’t that many people doing this work as it is. I have another case involving cancer detection processes, and so I know just a little bit about the industry, and one of the regrets of the industry is that there are so few people providing these services. And I think in the current healthcare environment, there will be fewer.

It doesn’t serve any of us very well. Some day you are going to need one of those services. I hope it’s available.

You have been completely unreasonable about this. And even today you are not willing to accept any responsibility that whatever needs to be done, even if you can’t confirm it, that your position is going to be a litigating position, and you will drag four lawyers to a hearing like this.

But it was a subsequent statement he made that I think suggests not just some empathy for LabMD, but support for any claim that there was no fair notice. In response to a LabMD expert’s testimony disagreeing with an FTC’s expert’s statement, Judge Duffey said to DOJ lawyers:

All I hear him [Cliff Baker] saying is that he doesn’t like your expert’s report and he would have done something differently and he’s claimed that HIPAA is what should be, because there are specific standards there — I think that you will admit that there are no security standards from the FTC. You kind of take them as they come and decide whether somebody’s practices were or were not within what’s permissible from your eyes.

I too find how does any company in the United States operate when they are trying to focus on what HIPAA requires and to have some other agency parachute in and say, well, I know that’s what they require, but we require something different, and some company says, well, tell me exactly what we are supposed to do, and you say, well, all we can say is you are not supposed to do what you did.

And if you want to conform and protect people, you ought to give them some guidance as to what you do and do not expect, what is or is not required. You are a regulatory agency. I suspect you can do that.

But I think that’s what happens when you jump too quickly into something that you want to do, and whether that’s circumstances or whether that’s agency motivation, I don’t know. But it seems to me that it’s hard for a company that wants to — even a company who hires people from the outside and says what do we have to do, and they say you have to do this, but I can’t tell you what the FTC rules are because they have never told anybody.

Again, I think the public is served by guiding people beforehand rather than beating them after they — after-hand.

Of course, I realize that this is just a hearing, but there’s a lot more commentary by Judge Duffey that does not bode well for the FTC, including his incredulous response to an FTC lawyer whom he was questioning about the “day sheets” incident:

MR. SCHOSHINSKI: That evidence relates to the potential injury suffered by consumers as a result of exposure of this information.
THE COURT: Are you serious about that last response?
MR. SCHOSHINSKI: Yes, Your Honor, I am.
THE COURT: So you don’t know where the documents came from, you don’t know how these people got the possession of it, you don’t know whether they originated from LabMD or some other place, but you are going to use that to show that, because they committed identity theft, that certain individuals were damaged by documents, the source of which you don’t even know?
MR. SCHOSHINSKI: Yes, Your Honor.
THE COURT: Holy cow.

All in all, it did not appear to be a good day for the FTC, but however displeased Judge Duffey seemed with DOJ and their client, the FTC, he may still be persuaded by the government’s argument that he does not have jurisdiction to consider LabMD’s complaint.

Stay tuned…

Correction: In a previous version, Judge Duffey’s last name was spelled incorrectly. 

Updates: Minutes after publishing this, I learned that Judge Duffey dismissed LabMD’s complaint.  Also, I have now uploaded a copy of the May 7 transcript referenced in this post, here (pdf).


Related:

  • North Country Healthcare responds to Stormous's claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
  • Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies
  • DOGE Denizen Marko Elez Leaked API Key for xAI
  • Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods
Category: Health Data

Post navigation

← PREIT discloses breach involving employee data hosted on UltiPro
Federal court dismisses LabMD's complaint against the FTC →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • North Country Healthcare responds to Stormous’s claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
  • Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies
  • DOGE Denizen Marko Elez Leaked API Key for xAI
  • Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods
  • RansomedVC is back — and is still attacking its competitors
  • Texas Enacts Electronic Health Record Data Localization Law
  • United Australia Party confirms ransomware attack, personal data and email correspondence exposed
  • Armenian National Extradited to the United States Faces Federal Charges for Ransomware Extortion Conspiracy
  • 70% of healthcare cyberattacks result in delayed patient care, report finds

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents
  • Attorney General Tong Announces $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act​
  • Fourth Circuit upholds West Virginia ban on abortion pills
  • Meta fixes bug that could leak users’ AI prompts and generated content
  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.