Uropathology laboratory LabMD, which was forced to suspend operations in January 2014, has filed suit against the Federal Trade Commission (FTC), stating the agency has abused its power in the manner with which it has handled the data breach action the FTC brought against LabMD.
There is quite a bit of information in the 43 page complaint, which readers can refer to if interested, but the following represents a very brief summary of pertinent points within the complaint.
In 2008, a company called Tiversa obtained a LabMD computer file with the protected health information (PHI) of more than 9,000 patients from a peer-to-peer file sharing program.
a self-described “cyber-intelligence company” specializing in searching for and copying medical, financial, and other sensitive files on peer-to-peer networks using patented technology
Tiversa then told LabMD it had obtained the PHI but refused to provide any further information “unless LabMD entered into a contract for Internet security services” with Tiversa. LabMD refused.
Tiversa then allegedly turned LabMD’s PHI over to the FTC, after which the FTC launched a full-scale investigation into LabMD’s data security practices and pronounced the data breach was the result of inadequate data security practices.
These supposed inadequate data security practices, according to the FTC, represent an “unfair” trade practice under Section 5 of the FTC Act.
Notably, the FTC has, to this day, never actually stated in any rule, legal document or statement precisely what LabMD did wrong or what it should have done differently.
LabMD has consistently argued the FTC lacks the statutory authority to investigate PHI security, which falls under the purview of the Department of Health and Human Services(HHS) under HITECH and HIPAA.
Neither HHS nor the FTC have ever accused LabMD of violating HIPAA or HITECH, and in fact, HHS decided in September 2013 that there were no grounds to even initiate an investigation into LabMD’s data security practices as they relate to this case.
LabMD also argues the FTC has retaliated against its owner, Michael Daugherty, after he spoke out against what the FTC is doing in a book he wrote as well as during speaking engagements and press interviews, and that this amounts to a violation of the First Amendment.
As a result of the FTC’s actions, LabMD states it lost its directors and officers liability insurance in October 2013, and in addition, LabMD and its physicians cannot obtain tail malpractice insurance nor a general liability policy that would enable it to rent office space.
So after four years of legal and regulatory wrangling and over $500,000 in legal fees, LabMD filed this suit against the FTC asking for a declaratory judgment that:
- The FTC lacks statutory authority to regulate patient-information data-security practices under Section 5
- The FTC’s efforts to regulate patient information are beyond the scope of its power
- The FTC violated LabMD’s due process rights by failing to provide adequate notice of what data-security practices it violated
- The FTC violated LabMD’s due process rights by unconstitutionally combining legislative, prosecutorial, investigative, and adjudicatory functions
- The FTC unconstitutionally retaliated against LabMD for engaging in constitutionally protected speech
LabMD also asks the court to stop the FTC from further pursuing any action against LabMD as it relates to this case and to compel the FTC to pay LabMD’s attorney fees.
I spoke with Mr. Daugherty by phone the other day about his lawsuit and he said simply:
This lawsuit against the FTC is not about LabMD or Mike Daugherty, it is about protecting health care providers from government overreach.
Mr. Daugherty also provided me with a link to a short article written by two attorneys, which, in his opinion, represents an excellent summary of the big picture in this case.