Skip to content
DWT logo
People Expertise Insights
About Locations Careers
Search
People
Expertise
Insights
About
Locations
Careers
Search
Advisories
Healthcare

FTC Files Complaint Against Lab Over Failed Health Information Security

By  Adam H. Greene
09.19.13
Share
Print this page

In a reminder that the U.S. Department of Health and Human Services (“HHS”), with its HIPAA security requirements and enforcement authority, is not the only game in town when it comes to health information privacy, the Federal Trade Commission (“FTC”) recently released a complaint against LabMD, Inc., alleging that a lack of information security was an unfair practice under Section 5 of the FTC Act. The case serves as a further reminder that, where HIPAA requires protection of patients’ “protected health information,” the FTC statute and enforcement authority extend to even broader categories of data.

The complaint stems from two incidents: (1) personal information of approximately 9,300 consumers made available to a peer-to-peer (“P2P”) file-sharing network after a billing department manager installed P2P software on a workstation for personal use; and (2) personal information of hundreds of the lab’s patients discovered by Sacramento law enforcement in the hands of identity thieves. The complaint seeks a 20-year consent order requiring monitoring of the lab’s information security practices. The complaint raises a number of risks and safeguards that labs and other health care providers (as well as non-health care entities) should consider including in their own information security risk analyses and risk management plans.

The FTC complaint alleges that the lab:

  • Did not develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information;
  • Did not identify commonly known or reasonably foreseeable security risks and vulnerabilities;
  • Did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
  • Did not adequately train employees to safeguard personal information;
  • Did not require authentication safeguards for remote access, such as requiring changing of passwords, prohibiting the use of the same password across applications and programs, or using two-factor authentication;
  • Did not maintain and update operating systems; and
  • Did not employ measures to detect unauthorized access to personal information, such as unauthorized P2P file-sharing programs.

Unlike the HIPAA Security Rule, the FTC’s statute and regulations do not include a specific list of information security controls that must be put in place. Rather, the FTC has broad discretion to seek enforcement against any practice it considers “unfair” or “deceptive.” The FTC has exercised this enforcement discretion before in the health care space, issuing complaints against national pharmacy chains for disposing of prescription information in publicly accessible waste containers. Complaints such as this are the clearest indication of the FTC’s expectations of how to avoid “unfair” trade practices. The complaint against LabMD includes some similarities to HIPAA, such as emphasizing an information security risk analysis, but arguably is more aggressive than HHS and HIPAA in other respects, such as indicating a need for different passwords for different applications, and implying that two-factor authentication is required for remote access. Organizations may be well served to consider the FTC’s position, particularly as part of their own risk analyses. 

For more information, contact Adam Greene, Becky Williams, David Gee, or the DWT attorney with whom you normally work.

Related Articles

DWT logo
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
NAVIGATE
Home People Expertise Insights
About Locations Careers Events Blogs
STAY CONNECTED

Subscribe to stay informed.

Subscribe
Employees
DWT Collaborate
EEO
Affiliations
Legal notices
Privacy policy
©1996-2022 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Prior results do not guarantee a similar outcome.
Close
Close

CAUTION - Before you proceed, please note: By clicking “accept” you agree that our review of the information contained in your e-mail and any attachments will not create an attorney-client relationship, and will not prevent any lawyer in our firm from representing a party in any matter where that information is relevant, even if you submitted the information in good faith to retain us.