- Earlier this week an administrative law judge dismissed the Federal Trade Commission (FTC) and LabMD case over an alleged health data breach.
The FTC alleged that LabMD “failed to reasonably protect the security of consumers’ personal data, including medical information” in two separate incidents.
The original complaint stated that the LabMD billing information of 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network.
Additionally, in another incident LabMD documents with sensitive personal information of at least 500 consumers were found in the hands of identity thieves, read the FTC complaint.
Specifically, FTC alleged the following complaints against LabMD:
- did not implement or maintain a comprehensive data security program to protect this information;
- did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information;
- did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
- did not adequately train employees on basic security practices;
- did not use readily available measures to prevent and detect unauthorized access to personal information
However, Judge Michael Chappell explained in his decision that FTC “failed to carry its burden of proving its theory that [LabMD’s] alleged failure to employ reasonable data security constitutes an unfair trade practice because [FTC] has failed to prove the first prong of the three-part test – that this alleged unreasonable conduct caused or is likely to cause substantial injury to consumers.”
FTC also failed to prove that the document exposure was in any way connected to LabMD being able to “reasonably protect data maintained on its computer network” and it was not proven if those documents were even maintained on or taken from the network.
Chappel also highlighted the three areas that Section 5(n) of the FTC Act states, which says that “[t]he Commission shall have no authority to declare unlawful an act or practice on the grounds that such act or practice is unfair.” However, if one of the following takes place, then the FTC may have authority:
- the act or practice causes or is likely to cause substantial injury to consumers
- the act is not reasonably avoidable by consumers themselves
- the act is not outweighed by countervailing benefits to consumers or to competition.
Overall, Chappel wrote that the “probability” that a health data breach would occur due to LabMD’s action was not proven:
To impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical “risk” of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of “likely” substantial consumer injury.
At best, Complaint Counsel has proven the “possibility” of harm, but not any “probability” or likelihood of harm.
As previously reported by HealthITSecurity.com, a key issue in the LabMD case was whether the FTC had the authority to determine that a healthcare organization has failed to implement “reasonable” data security safeguards through Section 5 of the FTC Act.
“All Americans should be outraged by the FTC’s unchecked ability to pursue a claim that is not based on any legal standard,” LabMD CEO Michael Daugherty said in testimony before the committee in July 2014. “If this can happen to LabMD, a cancer detection center, this can happen to anyone. This does nothing to help the constantly-changing cybersecurity landscape.”