The saga of LabMD v. the Federal Trade Commission (FTC) continues to twist and turn as more information comes to light about the business practices of "cyber intelligence" company Tiversa, Inc. and the FTC’s heavy reliance on Tiversa’s claim that LabMD failed to secure patients’ data.
It’s now been two years since the FTC first launched its investigation and filed a complaint against the Atlanta-based medical testing firm for an alleged data security breach which the FTC claimed violated section 5 of the FTC Act, which prohibits fraudulent, deceptive and unfair business practices. The investigation was based on a LabMD health insurance computer file that contained patient protected health information (PHI) on more than 9,000 people (the "1718" file) that had allegedly been exposed on the Internet. Tiversa informed LabMD that it found the 1718 file on a peer-to-peer file sharing network, and notified the FTC about the security breach after LabMD refused to contract with Tiversa for security monitoring services.
After months of delay, the evidentiary hearing in the case before presiding FTC administrative law judge D. Michael Chappell was completed July 15 and the record closed July 20.
Some of the most explosive testimony came from key witness Richard Wallace, a former Tiversa employee turned whistleblower, who was granted immunity to appear (see G2 Compliance Advisor January 2015). He testified May 5 that, among other things, Tiversa manufactured evidence using phony IP addresses to make the 1718 file look like it had been downloaded by several known identity thieves when in actuality he downloaded the 1718 file from LabMD’s own server; he made the data breach look worse than what it was at the direction of Tiversa’s CEO Robert Boback when LabMD refused to enter a monitoring contract with Tiversa; Tiversa has deceived many businesses this way to get them to contract with the company; and that Tiversa provided false information to the FTC.
Tiversa has defended itself, saying that Wallace’s allegations were "baseless" and coming from a "terminated employee."
Several days after Wallace’s testimony, Congressman Darrell Issa released the staff report from the House Oversight and Government Reform Committee, prepared in February but embargoed until Wallace testified. The report found, among other things, that:
- Tiversa was no "white knight" but instead often acted unethically and sometimes unlawfully in its use of documents unintentionally exposed on peer-to-peer networks
- Tiversa CEO Boback and at least one employee under his direction provided false information to the U.S. government
- Tiversa obtained non-public advance knowledge of FTC enforcement actions from which it attempted to profit
- Tiversa used "unseemly" business practices such as fearmongering and mining files for "potential" clients
- Tiversa provided information on LabMD and almost 100 other companies to the FTC when they refused to do business with Tiversa
- The FTC and Tiversa misrepresented their relationship, and the FTC failed to question the information Tiversa provided or Tiversa’s creation of a "dubious" shell organization to funnel information to the FTC
- Tiversa withheld documents from the FTC.
In light of all of this information, LabMD filed a motion June 19 with the FTC requesting that the Department of Justice investigate Tiversa and Boback for potential criminal activity, including perjury, knowingly obtaining or disclosing individually identifiable health information maintained by LabMD without authorization or for commercial gain, conspiracy, computer crimes, obstruction and falsification of records.
The FTC did not join in this motion but didn’t oppose it, either. Tiversa and Boback have asked the FTC for time to file a response to this motion, calling the accusations "serious yet baseless" and designed to impugn their reputations.
LabMD, whose attempts to dismiss the FTC’s complaint have been denied, filed an Answer and Defenses July 31. It again denies that it violated section 5 of the FTC Act, and claims that the FTC didn’t have the authority to regulate the acts alleged in the Complaint against LabMD. Even if it did have such authority, because the FTC has issued no rules, regulations or guidelines for businesses to follow in order to comply with the Act, LabMD asserts the FTC complaint against it violates LabMD’s due process rights.
LabMD is also now claiming that the proceedings violate the U.S. Constitution because the presiding administrative law judge was not appropriately appointed.
The FTC’s proposed order would require LabMD to institute compensative data security measures and be evaluated by the agency every two years for 20 years. (See G2 Compliance Advisor October 2013). LabMD has stated that it has been forced to cease operations due to the FTC’s actions against it.
The last deadline for post trial briefs is September 4.
Case may have long term consequences
The underlying importance of this case is whether and to what extent the FTC has authority to investigate and impose enforcement actions for data breaches. LabMD has repeatedly asserted that since as a covered entity it is subject to HIPAA, any data breach it may have suffered should be investigated not by the FTC but by the Department of Health and Human Services’ Office for Civil Rights (OCR), which enforces that law and which has published numerous regulations and guidance to help organizations comply with it.
The FTC and OCR appear to take different approaches to data security breach enforcement. The FTC prefers to impose long term corrective action plans, such as the one proposed for LabMD. In contrast, OCR prefers to resolve HIPAA violations more informally and with education. It has issued more formal, punitive settlements only in 26 situations where it found multiple HIPAA violations and wants to set an example regarding particular conduct. For instance, its latest Resolution Agreement, announced in July, fines a hospital $218,400 for exposing patient files by using an unauthorized, unsecure Internet-based document sharing application to store documents, but the accompanying evaluation by OCR is only for one year.
The FTC also differs from the OCR in that it deals only with companies in interstate commerce, but is concerned with all consumer information, not just patient PHI.
If the FTC prevails in the LabMD case, it will likely continue or even ramp up its enforcement of data breaches, even in the absence of extensive rules regarding what it expects of businesses. It did offer an explanation in a May 20 blog post about its process when it investigates a data security breach. It also issued a new security guide in July aimed to helping businesses keep data secure. The tool provides 10 "practical lessons" pulled from various enforcement actions the FTC has taken involving security breaches. Each lesson uses a specific FTC settlement as an example, although none of them involve health care entities. Many of the tips are similar to those found for HIPAA compliance and are rather basic, such as requiring complex passwords. It is not yet known whether these offerings provide sufficient guidance to companies in FTC’s crosshairs.
However, the new information about Tiversa calls into serious question the FTC’s reliance on Tiversa in its investigation of LabMD, which could affect the outcome of this case and the agency’s enforcement efforts in the future. The bottom line, of course, is that apparently LabMD did have some problems with data security if the 1718 file could end up in Tiversa’s hands.
Takeaway: Compliance officers should be aware that labs currently can be investigated by both OCR and the FTC in the event of a security breach. Steps should be taken to comply with both HIPAA and the FTC Act and use due diligence to keep consumer information safe.