We use cookies to deliver our online services. Details of the cookies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you agree to our use of cookies. To close this message click close.

LabMD Blames its Shutdown on FTC Legal Battle over Security Protections

HL Chronicle of Data Protection

31 January 2014
LabMD recently announced its plans to wind down operations, citing its ongoing legal battle with the Federal Trade Commission (FTC) over the company’s data security practices as a major cause.  In a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter. Daugherty’s letter blamed the FTC’s “debilitating investigation and litigation” as a major source of the company’s decision to wind down operations.
LabMD Blames its Shutdown on FTC Legal Battle over Security Protections

In August 2013, the FTC filed an administrative complaint charging LabMD with violating Section 5 of the FTC Act based on allegations that the company failed to implement reasonable and appropriate security protections for consumers’ personal information, including medical information (read our prior post for more details on the complaint).  LabMD aggressively fired back this past November, filing a motion to dismiss the administrative complaint. At the core of LabMD’s defense was the argument that the FTC lacked authority to regulate the company’s data security practices because LabMD (as a covered entity) was subject to the security requirements of the Health Insurance Portability and Accountability Act (HIPAA).

LabMD, a medical testing laboratory, maintains that Congress gave the Department of Health and Human Services sole authority to regulate the security of health information under HIPAA and other health privacy laws, and hence the FTC never should have brought an enforcement action against LabMD based on allegations of deficient security controls in the first place.  In an order issued on January 16, the FTC denied LabMD’s motion to dismiss the administrative complaint and emphasized the agencies broad authority to define and regulate unfair acts and practices under Section 5, including the practices of HIPAA-regulated entities.

The FTC’s dismissal of LabMD’s motion confirms that the agency does not view HIPAA as a shield against Section 5 and the agency’s enforcement authority. The decision could have far-reaching implications for entities governed by HIPAA. The LabMD case makes clear that the HIPAA Security Rule is not the only standard to consider when covered entities and business associates are managing organizational security risks, and suggests that the FTC’s increased focus on the protection of health data will continue.

Adam Solomon, an associate in our Washington, D.C. office, assisted in the preparation of this entry.

HL Chronicle of Data Protection

Cybersecurity in the Health Sector

The health sector is under siege with cybersecurity threats. Some of the largest announced cyber attacks in U.S. history have targeted organizations in the health industry. Regulators have...

02 May 2016
Loading data