In a reminder that the U.S. Department of Health and Human Services (“HHS”), with its HIPAA security requirements and enforcement authority, is not the only game in town when it comes to health information privacy, the Federal Trade Commission (“FTC”) recently released a complaint against LabMD, Inc., alleging that a lack of information security was an unfair practice under Section 5 of the FTC Act. The case serves as a further reminder that, where HIPAA requires protection of patients’ “protected health information,” the FTC statute and enforcement authority extend to even broader categories of data.
The complaint stems from two incidents: (1) personal information of approximately 9,300 consumers made available to a peer-to-peer (“P2P”) file-sharing network after a billing department manager installed P2P software on a workstation for personal use; and (2) personal information of hundreds of the lab’s patients discovered by Sacramento law enforcement in the hands of identity thieves. The complaint seeks a 20-year consent order requiring monitoring of the lab’s information security practices. The complaint raises a number of risks and safeguards that labs and other health care providers (as well as non-health care entities) should consider including in their own information security risk analyses and risk management plans.
The FTC complaint alleges that the lab:
- Did not develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information;
- Did not identify commonly known or reasonably foreseeable security risks and vulnerabilities;
- Did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
- Did not adequately train employees to safeguard personal information;
- Did not require authentication safeguards for remote access, such as requiring changing of passwords, prohibiting the use of the same password across applications and programs, or using two-factor authentication;
- Did not maintain and update operating systems; and
- Did not employ measures to detect unauthorized access to personal information, such as unauthorized P2P file-sharing programs.
Unlike the HIPAA Security Rule, the FTC’s statute and regulations do not include a specific list of information security controls that must be put in place. Rather, the FTC has broad discretion to seek enforcement against any practice it considers “unfair” or “deceptive.” The FTC has exercised this enforcement discretion before in the health care space, issuing complaints against national pharmacy chains for disposing of prescription information in publicly accessible waste containers. Complaints such as this are the clearest indication of the FTC’s expectations of how to avoid “unfair” trade practices. The complaint against LabMD includes some similarities to HIPAA, such as emphasizing an information security risk analysis, but arguably is more aggressive than HHS and HIPAA in other respects, such as indicating a need for different passwords for different applications, and implying that two-factor authentication is required for remote access. Organizations may be well served to consider the FTC’s position, particularly as part of their own risk analyses.