U.S. Court of Appeal Grants Stay in FTC V LabMD Case
There has been a long running battle between the Federal Trade Commission (FTC) and LabMD over the accidental exposure and disclosure of sensitive personal information of patients and the actions LabMD must take to mitigate risk.
The accidental disclosure occurred after LabMDs billing manager installed the file sharing program LimeWire on a work computer in 2005. The program was used for downloading and sharing music and video files for her personal use. However, the file sharing folder she used – her “My Documents” folder – also contained a work file which contained 1,718 pages of sensitive information of 9,300 patients. That file could have been downloaded by other LimeWire users.
The file was discovered by the security firm Tiversa in 2008 and was downloaded. Tiversa attempted to get LabMD to purchase its services to mitigate risk. After LabMD refused, Tiversa notified the FTC which launched an investigation.
The FTC determined that a lack of appropriate security for its customers’ personal information constituted a violation of the Federal Trade Commission Act, 15 U.S.C. § 45. The FTC issued a Final Order which required LabMD to “implement a number of compliance measures, including creating a comprehensive information security program; undergoing professional routine assessments of that program; providing notice to any possible affected individual and health insurance company; and setting up a toll-free hotline for any affected individual to call.”
Get The Checklist
Free and Immediate Download
of HIPAA Compliance Checklist
Delivered via email so verify your email address is correct.
Your Privacy Respected
LabMD ceased trading in January 2014 as it was not possible to cover the costs associated with the investigation by the FTC and subsequent litigation. LabMD also did not have the funds to cover the cost of the FTC’s Final Order, which LabMD estimates to cost in the region of $250,000.
LabMD currently has less than $5,000 in funds and is facing a $1 million judgement for terminating its lease early. The company has also been unable to cover the legal costs associated with the FTCs actions and is being represented on a pro bono basis.
LabMD requested a stay which was denied by the FTC. LabMD then submitted a petition for review of the decision of the Federal Trade Commission. This week the U.S. Court of Appeals for the Eleventh Circuit granted the stay.
The decision hinged on whether the FTCs interpretation of § 45(n) of the Federal Trade Act was reasonable, specifically whether the actions of LabMD caused or were “likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
While there was no evidence to suggest that any of the 9,300 patients suffered any harm as a result of the exposure and disclosure of their information, the FTC found that harm had been caused as the file containing sensitive patient data had been disclosed to Tiversa. The FTC also determined patients suffered ‘privacy harm’ that affected patients’ reputations and emotions, which the FTC determined was likely to cause substantial injury.
In the judges’ opinion, the FTC’s interpretation of harm could be unreasonable. “It is not clear that a reasonable interpretation of § 45(n) includes intangible harms like those that the FTC found in this case.”
Also, the interpretation of “likely to cause” could similarly have been misinterpreted by the FTC. The FTC took “likely” to mean “probable” or “reasonably expected,” and that there was a high probability of harm occurring.
According to the judges, “we read both “probable” and “reasonably expected,” to require a higher threshold than that set by the FTC. In other words, we do not read the word “likely” to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.”
Since “the costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation,” a stay would unlikely result in any injury to other parties, and there is no risk of further breaches since LabMD is no long in business, the motion to stay pending an appeal was granted.