Judge dismisses FTC security enforcement case against LabMD

The Federal Trade Commission's data security enforcement case against Atlanta-based cancer screening laboratory LabMD following an alleged 2008 data breach was dismissed Friday by an administrative law judge who said that the agency failed to prove the breach harmed, or could potentially harm, consumers.

In 2013, the FTC filed the complaint against LabMD for its alleged mishandling of patient information for roughly 10,000 individuals in two separate incidents: a situation in which billing information for more than 9,000 consumers was found on a peer-to-peer file sharing network; and a situation in which personal information for at least 500 individuals was found on physical day sheets and copied checks possessed by individuals who pleaded "no contest" to identify theft charges.

Judge Michael Chappell said in his initial decision, though, that the evidence presented failed to "assess the degree of the alleged risk," adding that it "would require unacceptable speculation" to conclude that risk was a "probability."

"Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury … requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case," Chappell wrote.

One key to the case was testimony in May by Richard Wallace, a former employee of Tiversa, the peer-to-peer security firm that said it discovered the online breach. Wallace testified that Tiversa exaggerated how much LabMD's file was exposed online.

What's more, the ruling noted that in June 2012, former FTC Commissioner J. Thomas Rosch, warned the FTC against relying on information provided by Tiversa, calling the company "more than an ordinary witness." Rosch pointed out that after Tiversa discovered the billing information on the peer-to-peer file-sharing network, it "repeatedly solicited LabMD" long before the Atlanta-based company was contacted by the FTC.

Tiversa, in a statement sent to FierceHealthIT via email, said it acted appropriately and legally in every way with respect to LabMD, despite efforts by the latter to "besmirch" its reputation.

"Tiversa has never been a party to this matter, but we have sadly been dragged into this case as LabMD sought to blame others for its admitted mistakes," the statement said.

Tiversa continued, saying it is pursuing a defamation case against LabMD in Pennsylvania. "LabMD has made claims against Tiversa and a magistrate has recommended that all LabMD's claims be dismissed," the statement said.

The FTC did not immediately respond to a FierceHealthIT request for comment.

Reed Rubinstein, counsel for Cause to Action, which represents LabMD, told FierceHealthIT via email that given the nature of the decision, he doesn't believe there are competent legal or factual grounds for an appeal by the FTC. Additionally, Cause to Action Institute Executive Director Daniel Epstein, in a statement, called the FTC's case "meritless."

"Although FTC's ostensible justification for this boondoggle was 'data security,' it produced no evidence that even a single patient was harmed by LabMD's alleged inadequacies," Epstein said.

Despite the ruling, Alisa Chestler, a District of Columbia-based attorney who specializes in health IT privacy matters, told FierceHealthIT she's still advising her clients to keep their cybersecurity defenses up.

"It is important that healthcare companies do not get misled by this decision," she said. "The fundamental importance of security remains, as it should, a very strong standard. Whether it's the FTC or the Office of Civil Rights, good end-to-end security--including knowing and understanding the entities' protocols with peer-to-peer software or the prohibition or peer-to-peer software through their system--needs to be robustly considered, understood and documented."

To learn more:
- here's the judge's initial decision (.pdf)
- check out the Cause to Action announcement