LabMD Appeals; Court Grants Temporary Stay

lab_specimensIn a recent blog post entitled “FTC Issues Final Order and Data Security Lessons in LabMD Case,” we discussed the Federal Trade Commission (“FTC”)’s Final Order in the LabMD case.  The FTC found that LabMD failed to provide reasonable and appropriate security for its customers’ personal information and that this failure caused (or was likely to cause) substantial consumer harm constituting an unfair act in violation of the law.  It  ordered LabMD to implement a number of compliance measures, including creating a comprehensive information security program, undergoing professional routine assessments of that program, providing notice to any possible affected individual and health insurance company, and setting up a toll-free hotline for any affected individual to call.  Although LabMD has closed its doors and has limited resources to comply with the FTC’s Final Order, it appealed the Final Order to the U.S. Court of Appeals for the Eleventh Circuit.  At the same time, it sought a stay from the FTC, which would halt these compliance measures pending the court’s review. The FTC denied the stay, so LabMD then asked the Eleventh Circuit to grant the stay.

On November 10, 2016, the Eleventh Circuit granted LabMD’s motion to stay enforcement of the Final Order pending appeal.  A copy of the court’s Order granting the stay is available here.  When issuing the stay, the court found that there existed a serious legal question as to Continue reading

Administrative Law Judge Dismisses FTC Complaint Against LabMD

electronic health recordOn November 13, 2015, the Chief Administrative Law Judge (ALJ) for the Federal Trade Commission (FTC) issued an Initial Decision dismissing the FTC’s Complaint against LabMD, Inc. for lack of evidence. The FTC originally issued this Complaint against LabMD in 2013, alleging that the clinical testing laboratory failed to provide “reasonable and appropriate” security for personal information maintained on LabMD’s computer networks and that this conduct “caused or is likely to cause” substantial consumer injury.

Continue reading

FTC Releases Report and Practical Advice on the Internet of Things

On January 27, 2015, the Federal Trade Commission (FTC) released a staff report entitled “Internet of Things: Privacy & Security in a Connected World.” This report suggests steps businesses can take to protect consumers’ privacy and security as they use objects that connect and send data to the Internet.

InternetOfThings-01The FTC Staff Report defines the Internet of Things (IoT) as “the ability of everyday objects to connect to the Internet and to send and receive data.” Examples of such objects are bracelets that track fitness activities and share the data with friends, cameras that post pictures online, RFID tags to monitor inventory, and home automation systems to monitor lights, temperature and security and report to homeowners when they are away. In health care, such objects include medical devices that monitor vital signs and other patient data, such as insulin pumps and blood pressure cuffs, and then share this data with physicians and caregivers. Basically, the IoT is “essentially any other Internet-connected device that isn’t a mobile phone, tablet, or traditional computer.”

The number of “things” connected to the Internet is greater than the number of people, and, as of this year, there will be 25 billion devices connected to the Internet. But this increased connectivity comes with increased privacy and security risks. First, financial and personal data stored on these devices can be stolen. Second, when the objects are connected to a network, security vulnerabilities in the objects may Continue reading

After LabMD: FTC, What Do We Comply With?

by Ann F. Triebsch

clip_image002As observers of data security enforcement are aware, the Federal Trade Commission (FTC) determined on January 16, 2014, that even entities that are already subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) are also subject to FTC jurisdiction and enforcement powers for data security breaches.  In the LabMD decision, the FTC denied the motion to dismiss sought by LabMD in the administrative case against it, which was formally filed in August, 2013. This outcome, though anticipated, has stirred up plenty of discussion, including about how to know whether or not you’re storing data in a way that satisfies the FTC, and what happens if you’re not.  For entities that are subject to HIPAA and have been following the HIPAA Security Rule regulations, is this enough?  Should they be doing more to also demonstrate compliance to the FTC? Continue reading

Privacy Breaches – They’re FTC Territory, Too!

by Ann F. Triebsch

Lock and KeyWe’ve all heard about HIPAA privacy breaches until we think there couldn’t be anything else to worry about. Think again—the Federal Trade Commission (FTC) is prosecuting privacy breaches in the health care industry as a violation of Section 5 of the FTC Act. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is charged with enforcing HIPAA, but some of those same privacy breaches can be scrutinized by the FTC to determine if they are “unfair or deceptive acts or practices in or affecting commerce”, which the FTC Act prohibits. On August 29, 2013, the FTC filed suit in Federal District Court in Atlanta against LabMD, a medical testing laboratory, and its president, to compel it to comply with an investigative demand for information on whether it failed to properly protect private information of about 9,000 consumers (FTC v. LabMD, U.S.D.C. N.D. Ga., Case No. 1:12-CV-3005) .

Continue reading