Share this article on:
The Federal Trade Commission’s case against healthcare service provider LabMD has been dismissed by a Chief Administrative Judge due to a lack of evidence that patients were exposed to a significant risk of suffering a substantial injury as a result of their personal information being exposed. This is the first time a decision has gone against the FTC after a data breach case has been challenged.
The initial decision on November, 13, went against the FTC, although the FTC can lodge an appeal in the next 30 days. At the present time, the FTC is currently considering the matter and deciding whether to appeal and send the case against LabMD to federal court to be decided. Judge Michael Chappell ruled that the FTC “failed to prove its case” that affected individuals were placed at a considerable risk of suffering harm or losses as a result of the incidents. Consequently, they were unlikely to constitute unfair trade practices.
The case was originally filed against LabMD in August 2013. The security breaches cited in the case occurred in 2008 and 2012. In 2008, a document containing detailed information about patients, including their billing information, was discovered on a peer-2-peer file sharing network. Over 9,000 individual records were contained in the spreadsheet. The file was discovered by Cybersecurity firm Tiversa. The company provides P2P intelligence services to the government and corporations.
Tiversa alerted LabMD to the presence of the unsecured spreadsheet on a P2P network, although LabMD declined to employ Tiversa to provide remediation services. The matter was then reported to the FTC by the cybersecurity company. There was some uncertainty about the level of risk faced by patients, and the extent to which the file was being shared on the network. During the case, a former employee of Tiversa testified that the company regularly contacted prospective clients with information about data discovered on P2P networks, but exaggerated the level of risk faced by those companies in an attempt to sell remedial services. The degree to which the file was being shared was therefore questionable.
Further weight was added to this revelation after a 2014 House Committee on Oversight and Government Reform investigation into working practices at Tiversa was conducted. A report issued by the committee stated that Tiversa “often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks.”
Tiversa is still fighting a case against LabMD for defamation after the HIPAA-covered entity alleged improper working practices at the cybersecurity firm, which Tiversa believes were made to “besmirch our reputation,” and transfer blame for errors made by LabMD staff.
The 2008 incident was not the only security breach suffered by LabMD in recent years, and the FTC case also cited a second security incident that occurred in 2012. There may be considerable doubt cast over the level of risk faced by patients following the 2008 security breach, but the 2012 breach appears to have placed patients at a much higher risk of suffering harm or loss after personal data were exposed. Documents containing billing information and Social Security numbers of at least 500 individuals were discovered to be in the possession of identity thieves by the Sacramento Police department.
As a result of the actions of the FTC, LabMD was forced into insolvency. The case against the company may have been dismissed, but the damage has already been done.
However, this is the first time that a FTC complaint has been challenged and won. This could convince other companies to challenge cases filed against them by the FTC in the future.