Photo of Ryan A. Lewis

Ryan focuses his practice on cyber security, information governance, and privacy law.

The FTC has approved a final settlement against Practice Fusion, Inc., a company that describes itself as the “number one cloud-based electronic health record platform for doctors and patients.”  The FTC had alleged that Practice Fusion failed to adequately disclose that patient responses to an online healthcare provider satisfaction survey would be published on Practice

The United States Department of Health and Human Services, Office for Civil Rights (“OCR”), has assessed a $5.55 million fine against an Illinois healthcare provider for alleged HIPAA data privacy violations.  The settlement is the largest to date between the OCR and any single entity, and is one of several multi-million dollar settlements obtained by

Reversing the findings of an Administrative Law Judge, the FTC has found that LabMD, Inc., a former provider of clinical laboratory testing services to physicians, violated Section 5 of the FTC Act by failing to maintain proper data security practices.  The final order, issued on July 29, is notable in its position suggesting that

The Court of Appeals for the District of Columbia shot down a putative class action brought against Urban Outfitters, Inc., and Anthropologie, Inc., which had alleged that the companies violated D.C. consumer protection statutes by collecting customer ZIP code information during in-store checkout.  The July 26 ruling remanded the suit for dismissal, and held that

Microsoft prevailed in its appeal to the Second Circuit from an order denying its motion to quash a warrant seeking a Microsoft user’s email stored on the company’s servers in Ireland.  The ruling sets important precedent limiting the extraterritorial reach of the federal government in seeking to compel disclosure of private company data under the

Most organizations understand the importance of timely implementing software updates and patches.  However, open platforms have permitted a level of customization such that a patch in one application may have unintended consequences in other parts of the overall system architecture, including customization of the software being updated.  A good example is the recent Microsoft security

The FTC issued warning letters to 28 companies that allegedly advertised participation in the Asia-Pacific Economic Cooperative Cross-Border Privacy Rules system (“APEC CBPRs”), but had not received the requisite certification.  A company seeking to participate in the CBPR system must first have its compliance established by an APEC-recognized accountability agent.

The APEC CBPRs is a

The Federal Trade Commission (“FTC”) issued a press release last week announcing it has assessed $950,000 in civil penalties against Singapore-based mobile advertising company InMobi for alleged violations of the FTC Act and the Children’s Online Privacy Protection Act of 1998 (“COPPA”).  The penalty is part of InMobi’s settlement with the FTC over allegations that

Citing the Supreme Court’s recent decision in Spokeo, Inc. v. Robins, a Maryland District Court judge remanded a putative data breach class action for lack of Article III standing and subject matter jurisdiction.  The opinion serves as an early indication of the added hurdles facing prospective data breach class action plaintiffs under Spokeo.

Plaintiff

On May 20, the FTC approved its final order resolving its Complaint against Henry Schein Practice Solutions, Inc. (“Schein”), which came after the expiration of a public comment period.  Schein is a provider of office management software for dental practices. 

The FTC’s Complaint alleged that Schein misrepresented the encryption capabilities of its Dentrix G5