After many years and the demise of the company, LabMD is able to wave the victory flag. It all came down to one simple word. The word is likely. What does likely mean?
We first posted about this case back in April of 2014.
Discover how Cost of Defending against a FTC HIPAA Violations Claim Leads to Entity’s Demise. Click here or go to: http://wp.me/p4bsis-153
To read Why PaymentsMD got in trouble with the FTC over patient information, click here or go to http://wp.me/p4bsis-1fy
On its website, the FTC identifies its strategic goals as:
- Protect Consumers: Prevent fraud, deception, and unfair business practices in the marketplace.
- Maintain Competition: Prevent anticompetitive mergers and other anticompetitive business practices in the marketplace.
- Advance Performance: Advance the FTC’s performance through organizational, individual, and management excellence.
The FTC action against LabMD was based in strategic goal number 1.
LabMD used file sharing technology to allow lab results and patient information to be shared with and between themselves and insurance companies. And, it turned out that patient information was being shared with more than insurance companies. LabMD patient information was found in the hands of identity thieves. https://www.ftc.gov/enforcement/cases-proceedings/102-3099/labmd-inc-matter.
The Department of the Health and Human Service’s Office of Civil Rights [OCR], looks at failure to follow HIPAA Rules, standards, and implementation specifications. Inversely, FTC looks at security breaches and practices that are unfair business practices. There is a big difference.
That is a broad swiping swath. When is a security practice unfair or deceptive? That is an ambiguous- enigma . It could be anything. But, one that is, has to be likely to cause harm to consumers. There is that word- likely. FTC only has authority, under federal law, to levy charges if there is likelihood of consumer harm. The FTC cannot just randomly declare something unfair or deceptive. That is where the FTC got stuck.
Yes. The FTC could show that LabMD did not follow HIPAA standards and implementation specifications. Yes. The FTC could show that thieves got ahold of patient information. But, the FTC could not show likelihood of harm. There was no evidence that thieves used the patient information to steal money from consumers. The FTC could not show that consumers were denied healthcare, because thieves stole their information. The FTC could not show that consumers incurred debt, because thieves used their information to get credit cards.
This a pendulum that has been swaying. What is the likelihood, the possibility and probability, of poor security practices or breach events would lead to consumer harm? Where the pendulum hits is unknown. Some courts have said that just the possibility is enough, the probability or actuality is required. Others, like here, have said probability and possibility is not enough.
The case is not over. The FTC can appeal the judge’s decision. In a press release about the decision, the FTC notes that right to appeal, but does not commit or rule out an appeal. https://www.ftc.gov/news-events/press-releases/2015/11/administrative-law-judge-dismisses-ftc-data-security-complaint.
Make Employees your best defense against privacy security breaches!