Michael in Print

07 May Unfair enforcement? FTC vs. LabMD – Excerpts from original post on PHIprivacy.net

Screen shot 2014-05-07 at 6.32.26 AMIs the Federal Trade Commission (FTC) – the agency that is supposed to protect consumers from unfair business practices – itself engaging in unfair practices in its treatment of LabMD?  Who protects us from over-zealous regulators?

This week PHIprivacy.net has written an outstanding post on the FTC and their enforcement of nebulous standards. Please enjoy some choice excerpts and click HERE to read the full post.

Refusal to Cave Costs LabMD Their Business

Rather than comply with what it considered unwarranted and unreasonable demands, LabMD decided to fight the FTC. The FTC action resulted in them losing their insurance, incurring approximately $500,000 in costs (so far), and ultimately, losing their business under the crushing burden of the litigation.

Is it good for patient privacy and data security to have a lab that HHS never investigated  – because there was no reportable breach and HHS received no complaints about the incident – fold under the extraordinary financial burden of an FTC investigation?  I don’t see how. Yes, the second data security incident involving LabMD day sheets may have been associated with consumer/patient harm if the information was used for identity theft or fraud, but unless the FTC plans to investigate tons of cases where copies of paper records with PII or PHI are found in possession of criminals, what was and is the point of its investigation and complaint against LabMD – a process that it initiated well before it even knew about the day sheets incident?


Even if FTC were to drop its complaint against LabMD – and in the interests of genuine fairness, I think it should – LabMD has already been destroyed. Sadly, the agency tasked with preventing unfair practices has itself seemingly engaged in unfair practices here. How can the business they have harmed be made whole again if objective people look at the situation as it was in 2008 and agree that there was no fair notice, no harm reported by patients, and that LabMD’s data security program and policies were consistent with standard practice for that time and type of organization?

Read More

03 May FTC told to disclose the data security standards it uses for breach enforcement

Screen shot 2014-05-03 at 8.07.23 AM

As reported in Computerworld yesterday, there was a legal decision handed down  in favor of  LabMD.  See a short quote of the article from Computerworld below and to read the whole post, click HERE.


The Federal Trade Commission (FTC) can be compelled to disclose details of the data security standards it uses to pursue enforcement action against companies that suffer data breaches, the agency’s chief administrative law judge ruled Thursday.

The decision came in response to a motion filed by LabMD, a now-defunct medical laboratory that has been charged by the FTC with unfair trade practices for exposing sensitive information belonging to 10,000 patients in 2010.

LabMD has accused the FTC of holding it to data security standards that do not exist officially at the federal level. It has maintained that the agency must publicly disclose the data security standards it uses to determine whether a company has reasonable security measures in place.

The FTC argued that it should not be required to disclose the legal or other standards it uses to determine whether a company’s data security practices are unfair or not under Section 5 (a) of the FTC Act.

In a six-page ruling, the FTC’s chief administrative law judge, Michael Chappell, nixed that argument and held that the Commission can indeed be compelled to disclose the information in the LabMD case.

The official response to yesterday’s ruling:

LabMD, a medical facility, is cautiously optimistic that the FTC will be forced to step into an era of fairness and transparency in notifying the business community, both large and small, what their data security standards are. LabMD still strongly objects to the FTC’s overreach into the medical regulatory environment overseen by HHS via HIPAA.

Read More

26 Apr FTC challenger remains defiant over charges

Screen shot 2014-04-27 at 8.03.30 PMThe head of a medical lab charged with letting thieves steal patient data is refusing to back down from his fight against the Federal Trade Commission (FTC).

A court’s decision this month to allow the FTC to pursue similar charges against the Wyndham hotel chain shouldn’t have much impact on LabMD’s campaign against the regulator, CEO Michael Daugherty said on Tuesday. He pledged to continue fighting the “bullies” at the agency to prevent them from regulating companies’ data security without explicit regulations.

“I would find most people are going to not say it’s okay to have a government agency that assumes all powers are there until they’re told they’re not,” he said in an interview with The Hill.

Daugherty was on Capitol Hill on Tuesday to talk with congressional staff, many of whom he said have been supportive of his case.

The FTC last summer accused Daugherty’s Atlanta-based laboratory of failing to safeguard consumers’ personal information. The commission claimed that a spreadsheet with data of more than 9,000 patients was found on a peer-to-peer file-sharing network, exposing people’s medical history, Social Security numbers and other personal details.

The company has fought back against the charges.

To read the whole article, click HERE 

Read More

02 Apr Recent FTC Ruling Could Cloud Data Security Enforcement

Reblogged from:Screen shot 2014-04-02 at 8.58.11 AM

by John Moore, iHealthBeat Contributing Reporter


  • Privacy and Security
Click on topic to receive periodic emails.

The arcane world of data security regulations just got a little more ambiguous.

In January, the Federal Trade Commission affirmed its authority to bring action against businesses that fail to adequately protect consumer data. The decision has particular implications for health care, as the case involved LabMD, a medical testing laboratory and a covered entity under HIPAA.

FTC last August filed a complaint against LabMD alleging the company exposed the personal information of about 10,000 people in two incidents. LabMD responded with its own missive: a motion to dismiss the complaint on the grounds that the FTC enforcement action clashed with HIPAA’s information security regulations.

On Jan. 16, FTC commissioners rejected LabMD’s arguments. As a result, health care providers and their business associates now need to consider FTC in addition to HHS’ Office for Civil Rights as a data security enforcement organization.

“What the FTC is saying is they feel they have the latitude … to go after anyone who doesn’t live up to the promises they make with respect to protecting their data,” said Mac McMillan, CEO of CynergisTek, an IT security consulting firm that focuses on health care.

“This was a big surprise to a lot of people,” McMillan said, adding, “Most health care organizations have never really viewed FTC as a regulatory body as it relates to privacy and security.”

Here are some other things healthcare organizations might find surprising:

  • The “new” regulator isn’t particularly new — FTC has been sniffing around health care and security for a number of years.
  • Settlements with FTC could involve 20 years of privacy audits if recent history applies to health care companies.
  • None of this may ever happen — pending court cases could check FTC’s data security watchdog role.

Overlapping Authority?

FTC’s assertion of authority stems from its interpretation of the FTC Act and its mission of pursuing consumer trust issues. In the LabMD decision, the commissioners ruled that a company’s data security lapses fall within the scope of the FTC Act’s ban on “unfair … acts or practices.”

The commission’s enforcement track, however, puts it on a path similar to OCR.

LabMD cited this overlap in its motion to dismiss. The company argued that HIPAA — which empowers OCR’s enforcement work — takes precedence over the FTC Act in the realm of data security.

The commissioners disagreed, saying, “Nothing in HIPAA … reflects a ‘clear and manifest’ intent of Congress to restrict the Commission’s authority over allegedly ‘unfair’ data security practices such as those at issue in this case.”

FTC’s decision is unlikely to stand as the final word on its data security powers in health care and other fields. Ongoing court cases should help determine whether FTC’s position will prevail. In one example, a federal court will rule on Wyndham Worldwide Corp.’s contention that FTC’s pursuit of data security represents an overreach of its authority. FTC in 2012 sued the hotel chain for alleged data security failures.

While the cases continue, some industry watchers believe FTC and OCR will be able to work cooperatively.

Scott Walters — director of security at INetU, a managed hosting and cloud provider that targets the health care industry — said FTC and HHS “are smart enough not to get into a double jeopardy situation” in which the two agencies would take independent action against the same company.

“I can see it being complementary for a while,” Walters said.

Brad Keller — senior vice president at the Santa Fe Group and program director of the company’s Shared Assessments Program — pointed out that FTC and HHS have some history with coordinated action. As an example he cited a 2010 case in which Rite Aid agreed to pay $1 million to settle potential HIPAA violations, following an “extensive joint investigation” by OCR and FTC.

“If you think about it, this isn’t all that new,” Keller said.

McMillan also noted FTC’s previous interest in data security, citing the commission’s discussions over the past five years with organizations including the Office of the National Coordinator for Health IT.

“They have always been clear: if they receive a complaint or perceive a customer trust issue, they will pursue it,” McMillan said.

Effect on Health Care Industry

Assuming FTC’s authority survives court challenges, health care providers would have another data security enforcement body looking at them — and one that can levy fines and order corrective measures.

As for fines, HIPAA has a higher penalty limit. David Harlow — president of The Harlow Group LLC, a healthcare law and consulting firm — noted that fines under the FTC Act are limited to $16,000 for each violation, compared with HIPAA’s maximum fine of $1.5 million.

McMillan, on the other hand, suggested that FTC has a more powerful weapon: privacy audits. When Google and Facebook settled with the FTC — amid complaints of mishandling users’ personal information — the companies agreed to undergo privacy audits for 20 years as part of the deal,according to Forbes.

McMillan said the cost of conducting periodic audits could prove more expensive in the long run than a HIPAA fine. “You’ve got the cost of an external monitor for 20 years,” McMillan said, noting that the audits are conducted by a third party.

He said, “It’s not just the cost, but being under the microscope for 20 years,” adding, “That is an awfully long time to have the government … reviewing what you are doing.”

But the effect of FTC enforcement should not prove as dire for health care providers who stay on the right side of HIPAA.

“If they pay attention to HIPAA, they are going to be fine,” Walters said.  “I don’t think FTC is going to end up trumping HIPAA.”

Walters said the investment in HIPAA, HITECH and the omnibus rule suggests that those requirements will endure as the data security standard in health care.

McMillan said he believes FTC will apply HIPAA’s privacy and security requirements when considering health care companies.

“They are not going to pull some other standards out,” he said.

A gray area still exists, nevertheless. While HIPAA enforcement relies on specific rules, FTC pursues enforcement through case-by-case litigation, Harlow said. The commission doesn’t operate with a list of unfair business practices, he added. So, at least in theory, FTC could find fault with a HIPAA-compliant health care provider.

“There is still room for FTC to maneuver, even if they are fully HIPAA compliant,” Harlow said.

Read More

31 Mar Uropathology laboratory LabMD files suit against Federal Trade Commission


By The Pathology Blawg on Mar 31, 2014 08:00 am
FTC building

Uropathology laboratory LabMD, which was forced to suspend operations in January 2014, has filed suit against the Federal Trade Commission (FTC), stating the agency has abused its power in the manner with which it has handled the data breach action the FTC brought against LabMD.

LabMD’s complaint

There is quite a bit of information in the 43 page complaint, which readers can refer to if interested, but the following represents a very brief summary of pertinent points within the complaint.

In 2008, a company called Tiversa obtained a LabMD computer file with the protected health information (PHI) of more than 9,000 patients from a peer-to-peer file sharing program.

Tiversa is:

a self-described “cyber-intelligence company” specializing in searching for and copying medical, financial, and other sensitive files on peer-to-peer networks using patented technology

Tiversa then told LabMD it had obtained the PHI but refused to provide any further information “unless LabMD entered into a contract for Internet security services” with Tiversa.  LabMD refused.

Tiversa then allegedly turned LabMD’s PHI over to the FTC, after which the FTC launched a full-scale investigation into LabMD’s data security practices and pronounced the data breach was the result of inadequate data security practices.

These supposed inadequate data security practices, according to the FTC, represent an “unfair” trade practice under Section 5 of the FTC Act.

Notably, the FTC has, to this day, never actually stated in any rule, legal document or statement precisely what LabMD did wrong or what it should have done differently.

LabMD has consistently argued the FTC lacks the statutory authority to investigate PHI security, which falls under the purview of the Department of Health and Human Services(HHS) under HITECH and HIPAA.

Neither HHS nor the FTC have ever accused LabMD of violating HIPAA or HITECH, and in fact, HHS decided in September 2013 that there were no grounds to even initiate an investigation into LabMD’s data security practices as they relate to this case.

LabMD also argues the FTC has retaliated against its owner, Michael Daugherty, after he spoke out against what the FTC is doing in a book he wrote as well as during speaking engagements and press interviews, and that this amounts to a violation of the First Amendment.

As a result of the FTC’s actions, LabMD states it lost its directors and officers liability insurance in October 2013, and in addition, LabMD and its physicians cannot obtain tail malpractice insurance nor a general liability policy that would enable it to rent office space.

So after four years of legal and regulatory wrangling and over $500,000 in legal fees, LabMD filed this suit against the FTC asking for a declaratory judgment that:

  • The FTC lacks statutory authority to regulate patient-information data-security practices under Section 5
  • The FTC’s efforts to regulate patient information are beyond the scope of its power
  • The FTC violated LabMD’s due process rights by failing to provide adequate notice of what data-security practices it violated
  • The FTC violated LabMD’s due process rights by unconstitutionally combining legislative, prosecutorial, investigative, and adjudicatory functions
  • The FTC unconstitutionally retaliated against LabMD for engaging in constitutionally protected speech

LabMD also asks the court to stop the FTC from further pursuing any action against LabMD as it relates to this case and to compel the FTC to pay LabMD’s attorney fees.


I spoke with Mr. Daugherty by phone the other day about his lawsuit and he said simply:

This lawsuit against the FTC is not about LabMD or Mike Daugherty, it is about protecting health care providers from government overreach.

Mr. Daugherty also provided me with a link to a short article written by two attorneys, which, in his opinion, represents an excellent summary of the big picture in this case.

This press release from Cause of Action, the government accountability organization that filed the suit on behalf of LabMD, also summarizes the case nicely.

Read More

14 Feb LabMD CEO Describes His Beefs With FTC

Screen shot 2014-02-14 at 8.26.21 PM

He Portrays Agency’s Security Investigations as Overzealous

Marianne Kolbasuk McGee, of Healthcareinfo Security, recently wrote,

“Michael Daugherty, CEO of LabMD, offers his perspective on a longstanding dispute with the Federal Trade Commission over two data security incidents. He has even written a book on the subject.

“We cannot have agencies that are looking in rear view mirrors, making up their minds as they go along on technological issues they don’t understand,” Daugherty says.

In an interview with Information Security Media Group, he explains his criticisms of the FTC investigations, which he says contributed to his decision last month to wind down operations of his company.”

Read the full article and listen to the podcast interview here!

Read More

03 Feb When The Government Closes Your Business

Screen shot 2014-02-03 at 10.16.25 AM
Michael J. Daugherty is interviewed on Forbes!

Here’s an excerpt:

For those unaware of the case, Daugherty is the founder of LabMD, an Atlanta-based medical testing laboratory that has been caught up in a four-year-long battle with the FTC. Days ago, the company issued a press release: Following a 4:0 vote by the FTC on January 16 to reject LabMD’s motion to dismiss an August 2013 complaint against the facility, the company announced that it has begun the process of winding down. The book documents the company’s saga. While it’s highly specific to the FTC battle, Daugherty’s experience as a founder is also a sobering story for any business owner to read.


Daugherty opened LabMD 18 years ago, in 1996. The lab operated as a small business of 20-some employees and analyzed blood, urine and tissue samples for cancer, micro-organisms and tumor markers. The nightmare began like most any misadventure in business: a company spreadsheet showed up in a research project on accidental data leakage.  Somehow, the company’s database of private client information had escaped the firewall boundary. Upon investigation, the company discovered the unwitting culprit: an employee had downloaded LimeWire, a peer-to-peer sharing program, onto a company workstation to listen to music files during work. The peer sharing protocol, of course, created the means for sensitive client data to leave the network as well.

Yes, it was a serious issue and one that required corrective action. New security measures. Stronger employee procedures. Penalties, perhaps. Even fines.

But LabMD’s nightmare had only begun. What makes the LabMD story interesting is that the company has actually never been charged with a HIPAA violation (the federal government’s privacy regulation that governs who can look at and receive an individual’s private health information.) Instead, LabMD became one of a set of companies aggressively pursued by the Federal Trade Commission (FTC) for allegations of failure to protect sensitive client information, not as a HIPAA violation, but as a “deceptive and unfair trade practice.”

To read the whole article, click on the graphic below

Screen shot 2014-02-03 at 10.16.25 AM

Read More

29 Jan FTC Cyber Case Has Nearly Put Us Out of Business, Firm Says

By: RACHEL LOUISE ENSIGN of the Wall Street Journal

A firm battling the Federal Trade Commission’s authority to regulate its corporate cybersecurity said it has stopped most of its operations because of costs tied to the agency’s case.

Medical testing laboratory LabMD Inc. stopped collecting new specimens earlier this month, according to a letter to customers filed in federal court as part of its dispute with the agency. The firm is also now “closed for phone calls and Internet access” though reports and billing are still available, the letter said.

“This action is in large part due to the conduct of the Federal Trade Commission,” President and Chief Executive Michael J. Daugherty wrote in the letter. “The FTC has subjected LabMD to years of debilitating investigation and litigation regarding an alleged patient-information data-security vulnerability.”

The privately held Atlanta firm has shrunk to three employees including Mr. Daugherty from a peak of about 40 in recent years, he said in an interview.  It does not plan to file for bankruptcy, he said.

A drop in reimbursements and marketplace changes from the Affordable Care Act also played a role in LabMD’s recent cuts, he said.

The FTC filed a complaint against LabMD in August alleging that the firm failed to reasonably protect data after an investigation that began in 2010. It alleged that information on more than 9,000 consumers was found on a file-sharing network and that LabMD documents with “sensitive personal information” of at least 500 consumers was “found in the hands of identity thieves.”

The agency faulted the company for allegedly lax data-security practices and proposed an order that would require the firm to implement information-security improvements and send data-breach notices to customers.

But LabMD fought back, disputing the FTC’s authority and saying its data-security practices are covered by other laws, including the Health Insurance Portability and Accountability Act of 1996 or HIPAA, with which the firm said it was in compliance.

“The goal in this case has always been to ensure that this sensitive information is appropriately protected.  FTC attorneys litigating this matter will gather information about the reported changes to LabMD’s business operations and determine how best to protect the sensitive consumer data the company has collected,” said Jessica L. Rich, director of the FTC’s bureau of consumer protection, in a statement to Risk & Compliance Journal. The bureau is litigating part of the case with LabMD.

The dispute is now playing out in an administrative law court. Nonprofit group Cause of Action in November also filed a lawsuit in Washington, D.C., federal court against the FTC on behalf of LabMD.

Mr. Daugherty and Cause of Action have alleged that the FTC investigation of the alleged data security problems has been onerous. “Complying with the FTC’s demands has cost LabMD hundreds of thousands of dollars as well as thousands of hours of management and employee time,” Cause of Action said in a press release.

The FTC has tried to fill the gap left by a congressional stalemate on cybersecurity legislation, which has left the U.S. without a clear national data-security regulator. But it can be difficult for firms to know what exactly they need to do to comply with to stay on the FTC’s good side. “The agency has not issued detailed regulations to help businesses understand what sort of cybersecurity requirements it expects,” said Craig Newman, managing partner at Richards Kibbe & Orbe LLP and chief executive of the Freedom2Connect Foundation, a nonprofit organization that opposes Internet censorship.

Wyndham Worldwide Corp. has also challenged the FTC’s authority to regulate cybersecurity. The hotelier is in an ongoing legal battle with the regulator, which has faulted it for a data breach.

Write to Rachel Louise Ensign at rachel.ensign@wsj.com 

Read More