Summary
On July 28, 2016, a panel (the “FTC Panel”) of three acting Federal Trade Commission (“FTC”) commissioners issued an opinion that found that LabMD, Inc. (“LabMD”) failed to implement reasonable security measures to protect sensitive consumer information, including medical information, and that LabMD’s security practices were “unfair” under Section 5 of the Federal Trade Commission Act (“FTC Act”).  The decision serves as a powerful reminder to health care businesses that the failure to implement appropriate security practices may not only constitute a violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), but may also result in liability under the FTC Act.

Summary of Relevant Facts
LabMD operated a clinical laboratory from 2001 to 2014.  In or around 2005, a LabMD billing manager downloaded and installed the peer-to-peer file-sharing program LimeWire onto a LabMD computer.  The program was used by LabMD personnel to download and listen to music.  As a result of the LimeWire download, nearly 1,000 files on the LabMD computer, including files containing consumers’ personal information, were inadvertently made accessible to other users of LimeWire.  

In 2008, a third party, who was not affiliated with LabMD, discovered and downloaded a copy of a LabMD insurance aging report from the LimeWire program.  That file alone (the “1718 File”) included 1,718 pages of sensitive personal information of approximately 9,300 consumers, including names, dates of birth, social security numbers, CPT codes and, in some cases, health insurance information.  LabMD did not disclose the incident to any of the consumers listed in the 1718 File.

According to the opinion, from 2005 through 2010, LabMD did not: utilize basic risk management techniques or safeguards such as automated intrusion detection, file integrity monitoring or penetration testing; monitor traffic across its firewalls; require its personnel to use strong passwords; adequately restrict and monitor the computer practices of its employees; or provide employees with security training, the latter in violation of its own internal compliance program.

The FTC Act and Case History
Under Section 5 of the FTC Act, the FTC may challenge “unfair or deceptive acts or practices in or affecting commerce.”  Section 5(n) of the FTC Act states that an act or practice may be deemed “unfair” if (1) it causes or is likely to cause substantial consumer injury; (2) the injury is “not reasonably avoidable by the consumers”; and (3) the injury is not outweighed by countervailing consumer benefits.

In 2013, the FTC issued a complaint against LabMD, alleging that LabMD “failed to provide reasonable and appropriate security for personal information stored on its computer network and that its failure caused or was likely to cause substantial consumer injury…”  A hearing was held before an administrative law judge (“ALJ”).  The ALJ held that the FTC failed to prove that LabMD’s security practices caused or were likely to cause substantial consumer injury under Section 5(n) of the FTC Act and dismissed the FTC’s action against LabMD.  The FTC appealed to the FTC Panel.

FTC Panel Analysis
In its opinion, the FTC Panel analyzed the three elements of “unfairness” under  Section 5(n) of the FTC Act.

With respect to the first element of “unfairness,” the FTC Panel found that LabMD’s disclosure of the 1718 File caused actual substantial injury to consumers, despite there being no evidence of identity theft, medical identity theft, or physical harm to any of the consumers.  Rather, the FTC Panel concluded that “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury…”  Although the FTC Panel found that there was actual harm to consumers, the FTC Panel continued its analysis of the first element of “unfairness” and held that the exposure of the 1718 File – the fact that it was available and unprotected for an extended period of time – was also “likely to cause” substantial injury.  The FTC Panel found there was “significant risk of substantial injury” because the personal information contained in the 1718 File was exposed, or accessible, to millions of LimeWire users, even if not actually accessed by them.  The FTC Panel noted that the severity of the potential harm to consumers was high due to the sensitivity of the data involved.

Turning to the second element of “unfairness,” the FTC Panel concluded that consumers had no ability to avoid the harms caused by LabMD’s security practices.  With respect to the third element, to the extent that LabMD was saving consumers money by not expending resources on security tools, the FTC Panel held that those benefits were “negligible.”  The FTC Panel noted that there were many free or low-cost security tools available to LabMD.

As a result, the FTC Panel overturned the decision of the ALJ and ordered LabMD: to notify affected consumers; to establish a comprehensive information security program reasonably designed to protect consumer personal information; and to obtain independent assessments regarding its implementation of the security program.

Takeaways
The following are important lessons from the LabMD decision:

• A comprehensive security program is essential for businesses in the health care sector that handle health information.  
• Consequences can result from a business failing to understand the ways in which non-work-related software programs and applications (such as music sharing software) can increase the risk of unauthorized access to protected health information.  
• Effective employee training must be incorporated into any comprehensive security program.  
• Covered entities and business associates may be subject to governmental oversight by both the Office for Civil Rights (the agency that enforces HIPAA) and the FTC with respect to their security practices.