Two years in the making, a fight between the FTC and a shuttered, Atlanta medical testing company is set to take place next week.
In 2012, the Federal Trade Commission, in its mission to protect consumers’ most sacred financial and medical details, originally accused LabMD of improperly handing the digital records of roughly 10,000 customers.
LabMD fought back. Asking a federal district court to stop the investigation.
But, in a ruling this week, a judge ordered the administrative hearing to go forward.
A federal district court judge has given the green light for a Federal Trade Commission administrative trial to begin next week on a security complaint against LabMD, a medical testing lab that’s now shuttered.
In a May 12 ruling, Judge William Duffey of the U.S. District Court for the Northern District of Georgia, Atlanta division, dismissed two LabMD motions: to have the FTC’s administrative action against the former lab tossed out, and to stop an FTC administrative hearing into LabMD’s data security practices from starting on May 20.
Legal battles like these are important — for both the government and regular folks — illustrative of the digital security problems the medical industry faces (the FBI recently warned healthcare providers that they aren’t ready for cyber sieges) and the number of virtual attacks aimed at patients.
From an AJC story, published last summer:
Personal health information breaches in Georgia have affected nearly a half-million people in the last four years, according to a review of federal records by The Atlanta Journal-Constitution. And that includes just the major incidents — those involving at least 500 people — that were reported. Nationwide, these major breaches have affected 22 million.
Medical records breaches are part of a much broader identity theft problem: One study determined that U.S. victims of identity theft lost $21 billion last year.
Critics say those who touch health data are sometimes lax and they know it.
An annual survey of health care organizations by Ponemon Institute, a privacy management firm, found that 94 percent admitted confidentially that they had suffered at least one data breach. Most “say they have insufficient resources to prevent and detect data breaches,” said Larry Ponemon, head of the institute.
Indeed, while there isn’t a federal data breach law — though there are states, such as Georgia, that have such protections — the FTC is bringing legal action against companies that violate people’s privacy rights using a provision in the FTC act that bars “unfair and deceptive acts and practices in or affecting commerce.”
Some more background on the LabMD case, from the Atlanta Business Chronicle (September, 2012);
A small medical company based in Atlanta is fighting a federal investigation into its data security practices — a potentially damaging blow to its reputation, says its founder.
The Federal Trade Commission (FTC) on Aug. 29 filed a petition in federal court to investigate LabMD Inc. and its CEO, Michael Daugherty, to determine whether the company had adequate data security for its medical records.
The federal agency says it obtained a copy of a 1,718-page spreadsheet that contained sensitive health information for about 9,000 of LabMD’s patients, including Social Security numbers, birth dates and health insurance policy numbers, according to the petition.
“There is no allegation that anybody has done anything wrong,” said Leslie Rice Melman, assistant general counsel for litigation for the FTC. She said the FTC is trying to investigate LabMD but the company has been unwilling to provide oral testimony and other documents.
“In most cases, in the end, we are able to get compliance without seeking the aid of the district court,” Melman said. “Citizens have an obligation to respond and cooperate in a lawful government investigation.”