The FTC and Keeping Privacy Promises

By Tish Eggleston Pahl and Jonathan M. Weinrieb

In 2012, identity theft was the number one complaint reported to the Consumer Sentinel Network.  Protection of private consumer information continues to be a high priority for law enforcement and any business dealing with consumer information – that is, everyone – needs to keep abreast of what the Federal Trade Commission (FTC) is up to.  The FTC has frequently pursued companies that failed to adhere to their own security and privacy policies as a violation of Section 5 of the FTC Act.

Making good on that commitment, last week the FTC filed an administrative complaint against Atlanta-based LabMD alleging that the medical testing laboratory failed to protect the personal data and medical information of some 10,000 consumers.  According to the FTC press release, information about LabMD patients, including names, Social Security numbers, dates of birth, insurance providers, and treatment codes, was found on a peer-to-peer (P2P) file-sharing network and provided to the agency.  Sensitive personal information of some 500 LabMD patients was also found in the hands of identity thieves.

The FTC alleges that LabMD violated the FTC Act by failing to take reasonable and appropriate measures to prevent these purported unauthorized disclosures of sensitive consumer data.  It might be assumed that the U.S. Dept. of Health and Human Services (HHS) Office for Civil Rights (OCR) would be the one bringing cases for alleged medical privacy breaches – and they do.  OCR enforces, among other things, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act).  The FTC, however, has long pursued companies who disclose consumers’ sensitive information in violation of the FTC Act and the FTC and OCR have brought cases jointly.

For instance, in February 2009, CVS Caremark settled with the FTC for violations of the company’s own privacy policy, in violation of the FTC Act, and with OCR for violations of HIPAA.  The investigations and settlements followed disclosures in the media that CVS pharmacies were throwing into unsecured trash bins pill bottles and order information that included, among other things, patient names, addresses, medications, social security numbers, and other confidential information.  There was a similar cooperative case the FTC and OCR settled with Rite Aid in July 2010.

There does not appear to be any explanation for why OCR is not participating in the FTC’s pursuit of LabMD.  Perhaps it is busy drafting much-needed guidance clarifying the refill reminder exception to patient authorization under HIPAA/HITECH.

LabMD is vigorously disputing the FTC’s version of events.  The company accuses the FTC of going on a fishing expedition, appearing to assert that another entity, Tiversa, stole LabMD’s data and then tried to force the company into a service agreement.  The FTC claims, conversely, that LabMD is refusing to cooperate with the investigation.

In the meantime, the FTC offers a business guide on P2P file sharing.  The agency is also sponsoring a workshop on November 19 on The Internet of Things to start up a dialogue about the growing connectivity of consumer devices, such as cars, appliances, and medical devices.  Given that consumers are now doing things like turning their house lights on and monitoring their blood pressure from their mobile phones, assuring security of medical and other private information is a natural outgrowth of the FTC’s interest in the issue.

Companies collecting consumer and patient information should take note and continue to keep abreast of the FTC’s (and HHS’s) activities.  As a former FTC Chairman stated in January 2013, in announcing a settlement with a leading cord blood bank, “[t]he FTC can and will take action to make sure that companies live up to the privacy promises they make to consumers, particularly when it comes to highly sensitive information like the health information.”