Reversing the findings of an Administrative Law Judge, the FTC has found that LabMD, Inc., a former provider of clinical laboratory testing services to physicians, violated Section 5 of the FTC Act by failing to maintain proper data security practices.  The final order, issued on July 29, is notable in its position suggesting that the FTC has broad power to regulate even the extremely limited disclosure of personal medical information. 

LabMD operated as a provider of laboratory testing services for physicians from 2001 to 2014.  The company maintained sensitive patient samples and testing information.  In 2013, the FTC issued a complaint against LabMD, which alleged that LabMD failed to provide reasonable and appropriate security for personal information stored on its computer network.  The complaint was based on an alleged vulnerability identified in 2008 by a forensic analyst working for Tiversa, a data security company.  While the Office of Civil Rights might be expected to take charge had the event happened today, the FTC asserted jurisdiction.  

The Tiversa analyst allegedly located a copy of a LabMD insurance aging report via a peer-to-peer (P2P) application.  The file, referred to in the opinion as the “1718” file, supposedly contained “1,718 pages of sensitive personal information for approximately 9,300 consumers, including their names, dates of birth, social security numbers, ‘CPT’ codes designating specific medical tests and procedures for lab tests conducted by LabMD, and, in some instances, health insurance company names, addresses, and policy numbers.”  The forensic analyst alleges that he was also able to download other shared files from the same LabMD IP address.  The 1718 file was allegedly exposed because a LabMD billing manager was given administrator rights and downloaded a P2P application to her computer.  The billing manager had allowed the P2P application to share the entire contents of her “My Documents” folder with other users.  

The ALJ held that under Section 5(n), LabMD’s computer data security practices had not been shown to have “caused” or have been “likely to cause” “substantial consumer injury” sufficient to invoke the FTC’s jurisdiction.  In pertinent part, the ALJ found that the limited disclosure of the 1718 file to Tiversa (and to an affiliated academic researcher) did not constitute sufficient injury under Section 5(n).  The ALJ also noted that Complaint Counsel relied on unsubstantiated evidence provided by Tiversa in bringing its original complaint. 

In reversing the ALJ, the Commission determined that the ALJ improperly interpreted Section 5(n) of the FTC Act, and it disagreed with the ALJ’s findings.  Specifically, the Commission found that LabMD’s unauthorized disclosure of the 1718 file itself caused substantial injury under Section 5(n), even though the 1718 file disclosure was limited to only Tiversa and one other researcher.  The Commission noted that “substantial” consumer injury under Section 5(n) could include “an intangible but very real harm like a privacy harm resulting from the disclosure of sensitive health or medical information.”  The mere disclosure of the 1718 file itself was therefore sufficient injury under Section 5(n).     

Further, the Commission concluded that the disclosure of the 1718 file via a peer-to-peer file sharing application “was likely to cause substantial injury and that the disclosure of sensitive medical information did cause substantial injury” under Section 5(n).  The opinion noted that physical or economic harm was not required, at least when medical information is at issue.  “[T]he disclosure of sensitive health or medical information causes additional harms that are neither economic nor physical in nature but are nonetheless real and substantial and thus cognizable under Section 5(n).”  Finally, as to whether substantial injury was “likely” to occur, the Commission stated that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.”  

The Commission also pointed to specific shortcomings in the company’s data security procedures.  Those issues included LabMD’s failure to employ adequate risk assessment tools, including intrusion detection, file integrity monitoring, and penetration testing.  The opinion also noted that LabMD failed to provide data security training to its employees, and that it failed to adequately restrict or monitor employee administrator access.  The Commission also stated that the security tools LabMD had used to mitigate risk were inadequate under the circumstances, and that its “antivirus programs, firewall logs, and manual computer inspections could identify only a limited scope of vulnerabilities” and were often used ineffectively. 

The problem with the Commission’s ruling is that it turned the “likely to cause substantial consumer injury” test on its head, finding unfairness where an unlikely risk may be theoretically large in potential scope.  This conclusion is at odds with the statutory requirement that there was actual – or even likely – harm.  The test for jurisdiction under Section 5 in no way suggests that the likelihood of harm test (causation) requires a lower standard if the consumer injury is somehow potentially more “substantial.” 

LabMD has 60 days in which to file a petition for review of the FTC’s decision with the U.S. Court of Appeals.  Michael Daugherty, president and CEO of now-defunct LabMD,  recently expressed his desire to take the legal battle to federal court on appeal.