Over on HIPAA, HITECH, and HIT, Elizabeth Litten comments on FTC’s administrative case against LabMD, a case I’ve been following here for the past few years. After recapping the case, she writes:
This case isn’t over, and it remains to be seen whether [Administrative Law Judge] Chappell will find the witness’s testimony credible and/or relevant to a finding that LabMD violated Section 5. It also remains to be seen whether the FTC and Tiversa will end up looking like cyber-sleuths out to uncover, and protect the public from, lax security practices, or will look more like cyber-thieves grasping for money, power, publicity or something else. Either way, this case is ugly and certainly does not create a high level of confidence in the cyber-security investigation and enforcement tactics utilized by the FTC.
Read her full column on HIPAA, HITECH, and HIT.
Have I not been saying all along that even if FTC could go after LabMD, I did not think this was a good use of their resources? And have I not been saying all along that this case strikes me as somewhat unfair to LabMD whose security – other than an employee not following policy (which still happens ALL the time) – was on a par with other HIPAA-covered entities’ data security back in 2008? If HIPAA decided not to go after LabMD for violations of its Security Rule, should FTC being take a sledgehammer to LabMD?
There are those who will claim that the only reason the FTC went after LabMD was because LabMD didn’t play the game and cooperate by jumping at every request and turning over thousands of pages of documents. But when all is said and done, does this action by the FTC do a damned thing to protect consumers? I think not, and can think of a lot of serious cases in the healthcare sector that the FTC should pursue – like a breach where patients weren’t even notified that their SSN and details were available for free download on Pirate Bay.
The FTC has done tremendous yeoman service in protecting consumers’ privacy, but sadly, not in this case.