The Federal Trade Commission has reversed a decision by its chief administrative law judge that dismissed the FTC’s data security complaint against now-defunct medical testing laboratory LabMD.
Last year, Chief Administrative Law Judge D. Michael Chappell found that the FTC’s complaint had failed to prove that LabMD’s alleged failure to employ reasonable data security constitutes an unfair trade practice. However, in reversing the judge’s ruling, the FTC concluded that Chappell applied the wrong legal standard for unfairness.
The FTC on July 29 released an opinion and final order—approved by a 3-0 vote—in which it charges that LabMD “failed to implement reasonable security measures to protect sensitive consumer information on its computer network” and that “its data security practices were unfair” under the Federal Trade Commission Act.
“We also find that LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system,” states the FTC’s opinion and final order. “Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”
According to the FTC, these security failures “resulted in the installation of file-sharing software that exposed the medical and other sensitive personal information of 9,300 consumers on a peer-to-peer network accessible by millions of users.” The commission alleges that LabMD left the data unsecured so that it was “freely available for 11 months, leading to the unauthorized disclosure of the information.”
In its final order, the FTC required that LabMD notify affected individuals, establish a comprehensive information security program and obtain third-party assessments regarding its implementation of the program. While LabMD went out of business in January 2014, the FTC noted in its decision that the company “has not destroyed or deleted any of the patient data it collected” and “continues to maintain the personal data of hundreds of thousands of people on its computer system.”
Michael J. Daugherty, founder and CEO of LabMD, contends that his company complied at all times with HIPAA rules, noting that Judge Chappell’s November 2015 ruling stated that the FTC had failed to prove that LabMD’s computer data security practices caused or were likely to cause substantial consumer injury. Nonetheless, he was not surprised by the FTC’s opinion and final order.
“This is about the FTC trying to wear me down. This is not about a fair court of law,” says Daugherty, who points to a recent study by former FTC Commissioner Joshua Wright that found that in all of the cases in which administrative law judges found no liability, the agency reversed those decisions.
“The Commissioners have more power than the judge and their court,” he adds. “Shame on every Commissioner. They have, without remorse, made a mockery of legal ethics, regulatory boundaries and HHS.”
Likewise, Cause of Action Institute, a public interest law firm committed to limiting corruption and abuse in the federal government, was quick to voice its objection to the FTC’s reversal of Judge Chappell’s ruling, calling it “unfortunate” but not surprising.
“This decision sets a dangerous precedent for every small business in America that deals with sensitive personal information,” reads the statement from Cause of Action Institute. “The FTC appears to have overlooked a significant body of evidence that had been presented before the agency’s chief ALJ. The FTC has imposed liability on LabMD, despite there being no evidence that a single consumer was harmed. In reversing the initial decision, the FTC Commissioners disavowed and disregarded the witness credibility findings of Chief ALJ Chappell, which were based on his first-hand observations of the witnesses.”
The FTC said in their announcement that LabMD “has 60 days after service of the Commission’s opinion and final order to file a petition for review with a U.S. Court of Appeals.”
Daugherty says he will be filing a petition in the coming weeks in appeals court, either in the District of Columbia or Georgia. “I am so happy and so relieved to be out of their dirty, biased system and into an Article III court,” he concludes. “Now, we’ll go to a court where the FTC doesn’t have everything stacked in their favor.”
FTC officials were not immediately available for further comment.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access