LabMD’s Win Over The FTC Is Short Lived

Written by: Richard Sheinis, Esq. 

On July 29, 2016 the Federal Trade Commission issued an Opinion and final Order reversing the decision by an Administrative Law Judge (ALJ) that had dismissed FTC charges against medical testing laboratory LabMD, Inc.  The Commission concluded that LabMD’s data security practices were unreasonable and constituted an unfair trade practice that violated Section 5 of the Federal Trade Commission Act.

LabMD operated a clinical lab for physicians.  The now lengthy history of this case, well known to privacy professionals, involved the FTC alleging that LabMD’s computer data security practices were so poor that they allowed sensitive personal information of approximately 9,300 patients to be accessible to millions of users on a peer–to-peer network.  Among other data security deficiencies,  for over 5 years, LabMD did not monitor traffic coming across its firewalls, did not have a monitoring or intrusion detection system, failed to provide data security training to its staff, and did not update its software to protect against known vulnerabilities.

A LabMD billing manager downloaded the file sharing program LimeWire onto a LabMD computer.  This resulted in a file containing sensitive personal information of approximately 9,300 patients to be available for sharing and downloading by other users of LimeWire.  Once this information was disclosed, LabMD never notified the affected patients that their personal information had been disclosed.

The ALJ dismissed the complaint against LabMD after finding that LabMD’s data security practices were not likely to cause substantial harm to the patients, which is one of the requirements to be an unfair practice under Section 5 (n) of the FTC Act.  The ALJ  stated that at best, the FTC had proven the “possibility” of harm, but not a probability or likelihood of injury.  The FTC disagreed.  The Commission found that the ALJ used too strict an interpretation of “likely to cause substantial injury”.  The FTC stated that the likelihood of harm must be evaluated together with the severity or magnitude of the harm involved.  A practice might be unfair if the magnitude of the potential injury is large, even if the likelihood of the harm occurring is low.

The FTC also disagreed with LabMD’s argument that the prohibition against unfair practices was so vague that it did not provide sufficient notice as to the conduct that was prohibited.  The Commission stated that LabMD was very aware of its security failures, and that such practices were similar to those committed by other companies against which the FTC has taken action.

As a result of the ruling, LabMD must establish a comprehensive information security program, and must obtain periodic, independent, third-party assessments of its program.  It must also notify the affected patients.  LabMD now has 60 days to appeal the Commission’s Order to the U.S. Court of Appeals.  I will let you know if LabMD appeals.  They have taken it this far, so if I were a betting man, I would bet that they appeal.  In any event, expect to hear from me again in 60 days!