From: GovernmentHealthIT
Anthony Brino, Associate Editor
A small diagnostics company in Georgia is challenging the Federal Trade Commission’s authority to regulate health data breaches in a dispute that could shape the future of federal health privacy regulation.
In 2008, the Atlanta-based LabMD was contacted by an IT security firm, Tiversa, that said it accessed the lab’s billing information online, after an employee violating company policy used the peer-to-peer file-sharing software Limewire to listen to music.
Tiversa told LabMD it was able to obtain a file with the personal data of about 9,300 LabMD customers, including their Social Security numbers, and then sought a service agreement with the lab — a sort of hacking as business pitch.
When LabMD turned down that offer, Tiversa brought the file to the FTC, which has been investigating the incident ever since and, after failing to secure a consent agreement with the lab, launched an administrative complaint in August.
While the FTC has not alleged wrongdoing, the agency maintains that LabMD had “fundamental, systemic security failures that put at risk consumers’ sensitive personal and health information,” with the information of about 500 customers later found in the hands of identity thieves in Sacramento, California.
While LabMD leaders corrected the initial problem of Limewire running on an employee’s computer and said they have cooperated with many of the FTC’s information requests, they’re now trying to end the investigation, recently asking an administrative law judge to invalidate 35 subpoenas the FTC issued for documents and testimony from current and former LabMD employees, clients and IT providers.
“From the outset of the FTC’s investigation, the Commission has exerted authority it does not have to punish a business that has done nothing wrong,” said Dan Epstein, executive director of Cause of Action, a nonprofit representing LabMD that “fights to protect economic opportunity when federal regulations, spending and cronyism threaten it.”
Cause of Action and LabMD argue that Congress authorized only one agency to regulate personal health information, the Department of Health and Human Services, and that Section 5 of FTC Act, covering “unfair acts and practices,” does not apply to patient health data.
“No court has ever said that Section 5 authorizes the FTC to regulate patient information data-security practices, or any other data-security practices, for that matter,” said Reed Rubinstein, Cause of Action’s litigation VP and a lawyer with the firm Dinsmore & Shohl. “Despite the Commission’s repeated requests, Congress has refused to confer upon the FTC jurisdiction over such data-security cases,” Rubinstein said.
In response, FTC lawyers argue that the issue of LabMD’s apparent breach “fits squarely within” the agency’s “broad mandate.” They also noted that the FTC has brought close to 50 data security cases against companies since 2000, with 18 of them alleging unreasonable security practices as unfair under the FTC Act’s Section 5.
Leave a Reply