Healthcare Exposure Beyond HIPAA: FTC Finds Violation and Harm From Release of Medical Information Alone in LabMD Appeal
The Federal Trade Commission (FTC) held in its recent decision in LabMD that lax security practices are unreasonable trade practices, and that electronic medical information is so sensitive that substantial harm to consumers will be presumed by its release. Healthcare, long concerned with HIPAA proceedings and litigation resulting from breaches, now has a third major legal exposure concern.
The FTC found the security practices that led to the breach constituted unfair trade practices within the definition of Section 5 of the FTC Act,” and that disclosure of health information as a result of the breach posed “substantial likelihood of harm” (another prong of FTC jurisdiction) even though no consumer had come forward to demonstrate injury such as identity theft or other fraud. In this way, the decision breaks significant new risk ground for healthcare providers, plans and those who access medical information who work with providers and plans.
The facts of the matter read like a cross between a “how-not-to” data protection manual, a Judd Apatow movie and an episode of “CSI.” LabMD, a clinical laboratory, employed a billing manager who allegedly had downloaded a peer-to-peer music sharing service, Limewire, onto her work computer, in “My Documents,” where she also had a file with1,718 pages of billing information and identifiers for over 9,000 patients. A security service, Tiversa, discovered the information and showed it to LabMD in an effort to get LabMD’s business. LabMD neither notified the affected patients, nor did it hire Tiversa. Tiversa reported the breach to the FTC. In an unrelated operation Sacramento, California police raided a residence of suspected utility billing information thieves and found LabMD “day sheets” with the names and Social Security numbers of over 600 patients.
LabMD challenged the FTC’s proceeding and prevailed at the administrative law judge hearing, which resulted in a dismissal on the ground that substantial likelihood of harm to consumers, a jurisdictional requirement, had not been proven. The FTC’s appellate panel reversed. Lax security practices such as those demonstrated here (including absence of a prohibition on peer-to-peer downloading, and no password policy so that six employees’ passwords were “labmd,” are in themselves unfair trade practices, the panel wrote. In addition, medical information, including the fact that certain tests were performed, is so sensitive, the panel held, that its release onto the internet will, even without more, constitute proof of likelihood of consumer harm. More need not be shown.
The clear trend, from courts to administrative agencies, is that the requirement to show concrete injury, such as credit card fraud or tax refund requests in the name of the patient, is falling fast. In addition, the FTC is moving steadily and strongly into the privacy enforcement arena and, as LabMD shows, will proceed where breaches result from lax security breaches. FTC proceedings can be long and costly. LabMD, which had challenged FTC jurisdiction up to the Eleventh Circuit is no longer in business.