Just last month, we discussed a recent Federal Trade Commission (FTC) case addressing deceptive practices involving patient privacy. In an extremely important decision in July, the FTC once again addressed privacy concerns in the healthcare sector.
In administrative actions brought by the FTC, the initial complaint is heard by an administrative judge, with appeals being made to the full Commission. Sitting in this appellate capacity, the FTC reversed an administrative law judge's decision that LabMD did not violate the FTC Act in securing patient data. Specifically, the FTC reversed the judge's decision that no harm had been caused by the alleged unfair disclosure of sensitive medical data.
The FTC's Claims Against LabMD
The FTC's decision comes after a long history between the parties. The FTC alleges that in two incidents that took place almost eight years ago, LabMD exposed the personal information of about 10,000 consumers. In the first incident, a file including the names, birth dates, apparent Social Security numbers, codes for medical tests and insurance information for about 9,300 individuals was allegedly exposed to public access via a peer-to-peer file-sharing service. In the second, police found hard copy documents containing the names and apparent Social Security numbers of approximately 600 people in the possession of identity thieves.
The Unfairness Theory
Most consumer protection actions brought by the FTC fall into one of two buckets: deception, and unfairness. In the case we talked about last month, Practice Fusion, the FTC's action centered on deceptive practices regarding the collection of patient data. In this new case involving LabMD, the FTC's action focused on unfair practices. The LabMD case involved allegations that LabMD failed to adequately safeguard patient data. In a significant development, the FTC set out that the unauthorized disclosure of sensitive personal data—even when not financial in nature—can constitute harm.
The FTC and the state attorneys general have for many years been heavily engaged in consumer privacy and data security matters. Most of these actions have involved data breaches where personal financial information has been improperly disclosed. They often involve issues of deception where companies are alleged to have failed to live up to the security standards they promised to consumers.
By contrast, the other main theory used by the FTC and attorneys general involves the unfairness theory, which does not necessarily require misrepresentations or omissions by a company. The FTC's enforcement authority comes in large part from Section of the FTC Act, found at 15 USC Sec. 45(a)(1), which states that:
"Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful."
While deceptive acts or practices as used in this section have long been well understood, the FTC's application of "unfair" acts or practices caused, for many years, considerable confusion. The FTC eventually issued a policy statement—later codified at 15 USC Sec. 45(n)—which states in pertinent part that no act may be held to be unfair:
"…unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."
In the data breach world, it has long been understood that the unauthorized disclosure of financial information could meet the standard of "substantial injury" as used by this section. Much more ambiguous has been the idea that sensitive personal information—such as health records without any financial exposure—could qualify as "substantial injury." The FTC's decision in LabMD has made clear that under its analysis, such unauthorized disclosure can indeed qualify as harm satisfying the requirements of the unfairness test.
Key to any data breach case is an allegation that there was unauthorized disclosure, and that the disclosure was due to shortcomings in data security practices. The FTC found that LabMD had no intrusion monitoring system, provided no data security training program, lacked strong password requirements, and did not properly update its software to guard against known vulnerabilities.
Of particular concern to the healthcare industry, the FTC found that certain standards under the Health Insurance Portability and Accountability Act (HIPAA) were not followed. The FTC specifically cited the lack of compliance with the basic requirements of HIPAA's so-called "Security Rule." The FTC emphasized that LabMD failed even to conduct a risk assessment to identify vulnerabilities and implement remedies.
The Security Rule is designed to be sufficiently flexible to apply to individuals and organizations ranging from a solo practice to a national insurer, but the requirement to conduct a risk assessment applies equally to all. The FTC noted the foundational role that risk assessment plays in data security. Failure to conduct such a risk assessment—even setting aside the failure to take any affirmative steps to mitigate any risks identified—indicates a disregard for basic data security practices.
Having found that security processes were lacking, the FTC then examined the key issue as to whether or not disclosure of personal health data could constitute harm. As part of its analysis, the FTC looked to specific laws and cases governing the confidential nature of health records. The FTC examined HIPAA and the Practice Fusion agreement (the subject of last month's article) to show the established law surrounding the importance of the confidentiality of health data.
More significantly, the FTC also looked at privacy issues from outside specific healthcare laws and considered the more general provisions of tort law. Specifically, in the order that was reversed by the FTC, the administrative law judge held that:
"Even if there were proof of such harm [disclosure of sensitive medical data], this would constitute only subjective or emotional harm that, under the facts of this case, where there is no proof of other tangible injury, is not a 'substantial injury' within the meaning of Section 5(n)."
The FTC rejected this analysis in its decision. It broadly held that general privacy interests can constitute harm. As the FTC stated:
"Tort law also recognizes privacy harms that are neither economic nor physical. As explained by the Restatement of Torts, when 'intimate details of [one's] life are spread before the public gaze in a manner highly offensive to the ordinary reasonable man, there is an actionable invasion of his privacy, unless the matter is one of legitimate public interest.' [ . . . thus], one can be held liable for invasion of privacy if 'the matter publicized is of a kind that[:] (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public.'"
The FTC went on to hold that:
"We therefore conclude that the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n), and thus that LabMD's disclosure of the [consumer data] caused substantial injury."
The consequences of this decision are quite significant. By looking beyond specific healthcare laws and cases and finding support for its decision in tort law, the FTC has sent a clear signal that this decision will have an impact in areas well beyond just patient data. Most importantly, however, the decision unequivocally states that in the eyes of the FTC, the disclosure of sensitive personal data can cause harms that are neither economic nor physical, but still satisfy the "substantial injury" requirement of Section 5 of the FTC Act. Now that the release of sensitive personal data can cause harm, without a bright line quantifiable economic harm aspect to data breaches, it can be fairly predicted that substantial litigation will ensue to determine the objective boundaries of what are very subjective concerns.