07 May Unfair enforcement? FTC vs. LabMD – Excerpts from original post on PHIprivacy.net
Is the Federal Trade Commission (FTC) – the agency that is supposed to protect consumers from unfair business practices – itself engaging in unfair practices in its treatment of LabMD? Who protects us from over-zealous regulators?
Refusal to Cave Costs LabMD Their Business
Rather than comply with what it considered unwarranted and unreasonable demands, LabMD decided to fight the FTC. The FTC action resulted in them losing their insurance, incurring approximately $500,000 in costs (so far), and ultimately, losing their business under the crushing burden of the litigation.
Is it good for patient privacy and data security to have a lab that HHS never investigated – because there was no reportable breach and HHS received no complaints about the incident – fold under the extraordinary financial burden of an FTC investigation? I don’t see how. Yes, the second data security incident involving LabMD day sheets may have been associated with consumer/patient harm if the information was used for identity theft or fraud, but unless the FTC plans to investigate tons of cases where copies of paper records with PII or PHI are found in possession of criminals, what was and is the point of its investigation and complaint against LabMD – a process that it initiated well before it even knew about the day sheets incident?
Even if FTC were to drop its complaint against LabMD – and in the interests of genuine fairness, I think it should – LabMD has already been destroyed. Sadly, the agency tasked with preventing unfair practices has itself seemingly engaged in unfair practices here. How can the business they have harmed be made whole again if objective people look at the situation as it was in 2008 and agree that there was no fair notice, no harm reported by patients, and that LabMD’s data security program and policies were consistent with standard practice for that time and type of organization?