In what is likely to infuriate those who believe that the Federal Trade Commission has already abused its authority in its relentless enforcement action against a small cancer-detecting laboratory, the FTC has denied LabMD’s application for a stay of their final order while LabMD appeals to a federal court.
In explaining its denial, the Commission said it looked at four factors:
(1) “the likelihood of the applicant’s success on appeal”; (2) “whether the applicant will suffer irreparable harm if a stay is not granted”; (3) “the degree of injury to other parties if a stay is granted”; and (4) the public interest. It is the applicant’s burden to establish that a stay is warranted. Toys “R” Us, Inc., 126 F.T.C. 695, 698 (1998).
Because the Commission believes it is right, it fails to see LabMD’s chances of success on appeal. If they didn’t believe they were right, they never would have issued their final decision and order, right? So the first factor is somewhat ridiculous and boils down to, “We thought we were right, we think we are right, and therefore, LabMD has no real chance of winning an appeal against us.”
On the second factor, that the Commission failed to see “irreparable harm” given the cost of notifications and implementing the comprehensive data security plan is…. shocking.
As to the degree of injury to other parties if the stay is granted, given that the FTC never bothered to contact even a single patient to inquire whether there had been any harm, the following borders on the obscene:
Because LabMD never notified any affected consumers of the breach, we do not know how many consumers may have suffered harm due, for example, to identity or medical identity theft.
But they could have known – and chose not to find out.
Keep in mind that as HHS spokesperson Rachel Seeger wrote to this blogger, HHS not only declined to join FTC in any action against LabMD, but this wasn’t even a reportable breach under HIPAA in 2008. There was no requirement for LabMD to notify anyone. So they didn’t and the FTC never did, and now the FTC would require LabMD to notify eight years later but it can’t wait for an appeal to a court?
Without notification, affected consumers and their insurance companies can do little to reduce the risk of harm from identity and medical identity theft or to address harms that may already have occurred.
They are, of course, referring to the “risk of harm” that they decided was substantial, even though there was no evidence of any harm to any person. Nor did they provide controlled and replicated research demonstrating that simply having data exposed causes substantial injury to consumers. If we ask people, “How do you feel that your lab test results were exposed and others could have downloaded them?” I hypothesize that many people would say they would be unhappy about that. But if we ask them, “Do you feel you have been harmed by that exposure?” I suspect that the vast majority would say that they had not been harmed at all, much less substantially harmed. Would even a few people claim significant harm? It’s an empirical question, and FTC provided no evidence on that point.
As for the fourth, and “public interest” factor, I think the public’s interest is in getting the FTC’s authority and the notice issues clarified by the courts, and the denial of the stay is just another poor decision in a long chain of poor decisions in this case.
Related:
FTC v. LabMD (FTC’s case files)
Those are the same four factors used by courts to determine whether a stay is warranted. So… I’d suggest you don’t really know what you’re talking about.
Nowhere in the post did I criticize their use of the four factors. I criticized their findings with respect to each of the factors.
So…. I’d suggest you either don’t know what you’re talking about or you have a reading comprehension problem.
And your criticisms are right on. Having to appeal an administrative ruling within the administrative body that made the ruling is like having a prosecutor deciding whether to hear a criminal appeal rather than a judge.
There may be a silver lining in this case: if they have exhausted all of the remedies within the administrative appeals process, they now may be able to get an actual court involved.
LabMD has now filed in the Court of Appeals for the Eleventh Circuit, seeking review of FTC v. LabMD. Their filing is 319 pages, including the exhibits. I am debating uploading it, but may wait to see if FTC uploads it to their case files to save space/money here.
At the lower, district court level (Georgia), the judge had been somewhat sympathetic to some of LabMD’s arguments, but had to dismiss because LabMD hadn’t exhausted administrative remedies. Now they have. I really want to see what a court does with the notice issue. That’s been bugging me since the git-go on this case. That and how the FTC applied the “substantial injury” provision.
Elsewhere, LabMD is still in litigation in Pennsylvania vs. Robert Boback, former CEO of Tiversa, who I expect is going to get indicted at some point by DOJ for lying to Congress and the FTC (based on former employee’s testimony). They’re also in litigation against some of the FTC complaint counsel.
And Congress isn’t done with this whole mess yet.
This case has been a mess.
You know that there’s now a made-for-TV thing about this whole govt over-reach issue, based on the LabMD case, with Mike Daugherty involved with it?
Oh wait… according to that anonymous commenter, I don’t know what I’m talking about. Forget everything I’ve said. 🙂