How bad can a medical data breach get? Apparently, it can cause your company to fold. LabMD, which has twenty employees. has announced that it will wind down its operations due to the overbearing reach of the FTC. The company’s CEO has issued a press release blaming the FTC for his company’s woes, accusing it of overreaching and abusing its power.
Update (05 May 2014): Dissent at phyiprivacy.net argues that the FTC may very well have over-played its hand. Definitely worth a read.
Update (29 May 2014): A Georgia Court Opinion (uploaded to phyiprivacy.net) finds the “the FTC caused our business to go bankrupt” claim questionable. More at the bottom of this post.
You can find a summary of LabMD’s recent trials and tribulations by googling it. The short version of the story is that the FTC went after LabMD when the latter was caught with a data breach. LabMD went to the courts, arguing that the FTC didn’t have the right to be going after it. It lost time and again, and finally decided to toss in the towel.
But as I read the stories, it seemed to me that the FTC is not necessarily overplaying its hand.
HIPAA Applies to Covered Entities
One of the judo moves up LabMD’s sleeves was the argument that the FTC had no jurisdiction because the information at the center of the controversy happens to be medical in nature. Thus, the argument goes, LabMD’s failings are under the purview of HIPAA, which means the Department of Health and Human Services (and its Office of Civil Rights) should be bringing forward any action, not the FTC.
Seeing how OCR has the ability to levy fines of up to $1.5 million and other penalties, including audits for 20 years, I’m not quite sure why LabMD is making this particular argument. Regardless, let’s get something straight here: just because medical data has been compromised doesn’t mean that HIPAA applies.
Anyone who has taken a somewhat in-depth look into the issue knows that HIPAA applies to “covered entities” (and thanks to HITECH and the Final Omnibus Rule, “business associates”). What is a covered entity? Well, medical entities like hospitals, dentists, clinics, and others. But, and this is key, not all medical entities are HIPAA covered entities (my emphasis):
Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. Covered entities can be institutions, organizations, or persons.[nih.gov]
In other words, if there’s no electronic transmission, you’re not a covered entity under HIPAA even if you operate a medical business. For example, perhaps you’re a dentist who is stuck in the analog age and will only take cash payments. HIPAA doesn’t apply to you.
So, the question is not whether the breached information was medical in nature. The question is whether LabMD is a covered entity. The second question is whether LabMD was a covered entity when the data breach occurred, since things have changed quite a bit since the introduction of HITECH:
In a statement released in September 2013, an HHS spokesperson said “[HHS] decided not to join FTC in their investigation of these peer-to-peer sharings and we did not independently receive complaints […] This was pre-HITECH, so there was and is no obligation on LabMD with respect to our breach notification requirements – whether any exist under state law would be for the state to determine.” [dataguidance.com]
While the above HHS comment is about breach notifications under HIPAA, it stands to reason that if LabMD was not subject to the Breach Notification Rule, then it probably was not subject to HIPAA, either. If HIPAA applies to you, then BNR applies to you as well (no ifs or buts).
And if HIPAA doesn’t apply…well, that’s why the FTC is investigating LabMD’s data breach.
Disingenuous: It’s Not About “Unfair” Trade Practices
There’s another aspect of LabMD’s arguments that doesn’t quite mesh well with me. This is a quote from LabMD’s CEO:
Following a four year investigation of LabMD, the FTC filed an administrative suit alleging LabMD’s patient information data security was an “unfair” trade practice. Absent any established or uniform data security standards; absent Congressional approval to regulate data security practices; absent a consumer victim from any alleged LabMD security breach; all without alleging that LabMD violated HIPAA privacy regulations . . . [healthitsecurity.com]
The problem with this argument lies in the quotation marks. As a lay person who’s also a Gen-Xer, those quote marks hold a special part in my heart. I can already visualize a pair of hands in the air, the curve of the phalanges, the up-and-down motion.
The LabMD CEO’s accusation sounds like the FTC views the lack of PHI security on LabMD’s part as an “unfair” advantage over the competition, as if the word unfair is being misapplied, as if it doesn’t make sense.
But that’s not what it’s about. Under Section 5 of the FTC Act deceptive maneuvers also constitute “unfair practices”:
(a) Declaration of unlawfulness; power to prohibit unfair practices; inapplicability to foreign trade
(1) Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.
(2) The Commission is hereby empowered and directed to prevent persons, partnerships, or corporations, except banks, savings and loan institutions described in section 57a (f)(3) of this title, Federal credit unions described in section 57a (f)(4) of this title, common carriers subject to the Acts to regulate commerce, air carriers and foreign air carriers subject to part A of subtitle VII of title 49, and persons, partnerships, or corporations insofar as they are subject to the Packers and Stockyards Act, 1921, as amended [7 U.S.C. 181 et seq.], except as provided in section 406(b) of said Act [7 U.S.C. 227 (b)], from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.
Let’s say that you as a company promise customers that their information will be kept secure. That you hold its security paramount. That it will not be released to third parties. And so on, etc.
If it turns out that the company has a track record of lousy data security, would it constitute a deceptive act? What if the FTC investigated the issue and turned out that, not only do you have a lousy record, you still have lousy security, and invalidates the promise regarding data security?
Precedent for Deceptive Practices
The same reason – deceptive claims – was used when the FTC and HHS went after Rite Aid in 2010. What happened there? In a nutshell, Rite Aid was found dumping sensitive information without nary a thought given to data security, despite having promised to hold person information in a secure manner. Rite Aid settled with both government agencies.
Rite Aid is but one company that got into the FTC’s crosshairs. The FTC recently marked its 50th data security settlement, starting with its first case in 2002. If there is strength in numbers, the FTC has them in spades.
But that’s neither here nor there. The question is whether the FTC is wrong in trying to enforce data security standards on commercial companies.
Is it? Perhaps. But, I think most people will agree that LabMD didn’t have a foot to stand on when considering the bigger picture. What does it matter whether it’s the FTC or HHS/OCR that comes after the company? After all, it’s not as if the company is being falsely accused of having had a data breach. (They had two).
One way or another, they were destined to be fined, and an agreement to be periodically audited. It seems to me that LabMD would have been better off paying for encryption software than paying its attorneys to essentially change who’s overseeing the finish line.
Questionable Claim (Updated 29 May 2014)
Copied here is the court’s reasoning why it questions the veracity of LabMD’s claims that the FTC was the reason for winding down the private lab’s operations. Footnote 8 in LabMD v. FTC Opinion and Order (my emphases):
LabMD’s claim that the FTC investigation had a crippling effect on its business is questionable in light of Mr. Daugherty’s testimony at the Preliminary Injunction hearing. In 2010, the FTC began its investigation into LabMD’s data security practices. Four years later, in January, 2014, LabMD decided to no longer provide cancer detection services, which is the essence of its business operations.
Preliminary Injunction Hr’g Tr., at 6: 20-25. LabMD continued to operate as a going concern throughout the FTC investigation until the end of 2013. In 2013,LabMD retained 25 to 30 employees on its payroll, and it continued to generate a profit margin of approximately 25% until 2013 when the company experienced a loss of half a million dollars. Id.at 11: 1-25. The company “never had problems getting insurance prior to 2013.” Id.at 12: 6-8. The evidence presented at the Preliminary Injunction hearing demonstrates that an insurer’s decision to deny tail risk coverage to LabMD on account of the FTC investigation and administrative proceeding was not made until January13, 2014, which is a week after LabMD had decided to discontinue its cancer detection services. See Pl.’s Ex. 15, attached to Pl.’s Ex. List. At the Preliminary Injunction hearing, Mr. Daugherty, conceded that the implementation of the Affordable Care Act, and its resulting effect on cost containment and market consolidation negatively impacted LabMD’s operations, and “creat[ed] huge anxiety, destruction, consolidation in our customer base.” Id. at 52: 9-21. Mr. Daugherty also conceded that LabMD’s future “depend[ed] on Obamacare, and other than that I don’t know.” Id.at 54: 1-4.
Related Articles and Sites: