by Ann F. Triebsch
We’ve all heard about HIPAA privacy breaches until we think there couldn’t be anything else to worry about. Think again—the Federal Trade Commission (FTC) is prosecuting privacy breaches in the health care industry as a violation of Section 5 of the FTC Act. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is charged with enforcing HIPAA, but some of those same privacy breaches can be scrutinized by the FTC to determine if they are “unfair or deceptive acts or practices in or affecting commerce”, which the FTC Act prohibits. On August 29, 2013, the FTC filed suit in Federal District Court in Atlanta against LabMD, a medical testing laboratory, and its president, to compel it to comply with an investigative demand for information on whether it failed to properly protect private information of about 9,000 consumers (FTC v. LabMD, U.S.D.C. N.D. Ga., Case No. 1:12-CV-3005) .
The private information, including patient names, Social Security numbers, birth dates, health insurance information and medical treatment codes, was found on peer-to-peer (“P2P”) file sharing networks in 2009. These P2P networks were the subject of a 2010 warning from the FTC about security breaches they are susceptible to, and precautionary steps. In this case, the breach of private health information can, and did, lead to identity theft and medical identity theft. So when the FTC found the sensitive information on numerous P2P networks, it began investigating numerous parties, including LabMD, to see whether they had failed to “use reasonable and appropriate security measures to safeguard sensitive information” in violation of the FTC Act. LabMD complied with the FTC’s initial requests, but not to the FTC’s satisfaction. and the FTC made further requests to fill the information “gaps”. However, LabMD repeatedly refused to comply and now, after several rounds, the FTC has filed suit in federal court to require LabMD’s compliance. LabMD alleges that the FTC has no authority over these types of breaches, and claims a third party downloaded the spreadsheet containing the private information.
The lack of authority argument, however, may not be a winner, especially in light of the FTC’s past enforcement actions in the health care privacy arena. In July 2010, the FTC reached a settlement with Rite Aid Corporation, on charges that Rite Aid failed to protect the sensitive financial and medical information of its customers and employees. The company made advertising claims such as, “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” However, Rite Aid pharmacies were reported to be using open dumpsters to discard trash containing consumers’ personal information such as pharmacy labels. The FTC alleged that the advertising claims thus were deceptive and that Rite Aid’s security practices were unfair. Rite Aid agreed to a comprehensive information security program, as well as third-party audits every other year for 20 years. HHS tag-teamed with the FTC on the Rite Aid case, and the agencies resolved similar allegations with CVS Caremark in February 2009.
The FTC’s jurisdiction is over interstate commerce, but it’s hard to imagine any but the smallest breach of private health information in this day and age that wouldn’t affect interstate commerce. So the specter of two federal agencies policing for breaches and proper security measures gives that much more incentive to keep data under appropriate lock and key!