- The Federal Trade Commission (FTC) will be able to proceed with its enforcement action against the testing laboratory LabMD for an alleged healthcare data breach that occurred a few years ago.
The original FTC complaint filed in 2013 stated that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers. Specifically, over 9,000 consumers’ billing information was found on a file-sharing network, according to the FTC. Then in 2012, “sensitive personal information” of approximately 500 LabMD consumers was found with identity thieves.
Because of this, LabMD failed to “reasonably protect the security of consumers’ personal data, including medical information,” according to the FTC website. Moreover, the FTC claimed that LabMD did not follow numerous privacy and security measures, including the following:
- did not implement or maintain a comprehensive data security program to protect this information;
- did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information;
- did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
- did not adequately train employees on basic security practices; and
- did not use readily available measures to prevent and detect unauthorized access to personal information.
Earlier this week, the Eleventh Circuit dismissed LabMD’s challenge to FTC’s enforcement actions, according to a National Law Review report. The testing laboratory had tried to get charges dismissed, claiming that the FTC did not have the necessary authority to regulate protected health information (PHI). However, as pointed out by the news source, the Eleventh Circuit did not say whether or not the FTC could enforce healthcare privacy standards.
“Before a federal court will review the case, LabMD must first exhaust its administrative remedies, which means LabMD must first go through the FTC administrative hearing process until the FTC makes a final decision,” the National Law Review stated.
As previously reported on HealthITSecurity.com, this is a highly anticipated case because of the potential healthcare privacy and security implications. For example, it could potentially assist the healthcare industry if the case clarified which entities the FTC believes it has jurisdiction over if it’s more than just HIPAA covered entities. Additionally, it would help if the industry knew exactly what data security standards those entities are being held to.
“Alternatively, from a federal perspective, the argument could be made that, similar to HIPAA, if an organization already has a solid security program in place that it will simultaneously adhere to the FTC’s standards,” the article stated. “The confusion for some entities may lie in whether in complying with HIPAA they’re also meeting the FTC Act’s Section 5 requirements to be ‘reasonable’ with data security.”
This is not the only recent healthcare data breach issue connected with the FTC. In Dec. 2014, the patient portal provider PaymentsMD settled with the FTC over allegations that it used deceptive patient data practices. The FTC claimed that PaymentsMD had used confusing patient permissions checkboxes to blur the fact that patients were allowing the company to collect PHI.