LabMD, the embattled cancer detection laboratory, fully briefed its appeal to the Eleventh Circuit, congressional inquiry into the FTC’s data security enforcement actions continued, and LabMD sought sanctions against the FTC in the ongoing administrative proceedings.

As we discussed in July, Tiversa, a “cyber-intelligence” company, notified the FTC in 2009 that a file containing the personal information of about 9,300 LabMD patients was available on a peer-to-peer file sharing network. The FTC filed an administrative action against LabMD in August 2013, alleging that LabMD’s failure to adequately safeguard its patients’ personal information was an “unfair or deceptive” act or practice in violation of Section 5 of the FTC Act.

The Northern District of Georgia dismissed LabMD’s suit to enjoin the FTC action as nonjusticiable, and LabMD appealed to the Eleventh Circuit. As of August 11, that appeal is fully briefed. In its briefing, LabMD argued that the FTC lacked authority under Section 5 to regulate personal health information data security practices because, inter alia, (1) HIPAA and HITECH provide the sole regulatory scheme applicable to health care data privacy practices, and (2) the FTC’s enforcement action violated due process because of the absence of any administrative guidance regarding what could be considered “unfair” data security practices under Section 5. LabMD called the FTC’s enforcement action an ultra vires “power grab” beyond its congressional grant of authority. The FTC responded by asserting broad authority under Section 5, which it asserted is consistent with HIPAA or HITECH. In late August, the Eleventh Circuit scheduled oral argument.

In the meantime, the House Oversight and Government Reform Committee (Oversight Committee) held a hearing on July 24 titled, “The FTC and its Section 5 Authority: Prosecutor, Judge and Jury,” as it continues to investigate the FTC’s relationship with Tiversa. Tiversa’s cooperation with the FTC on the LabMD and other data security cases was allegedly part of a scheme to extort lucrative data security contracts from health care providers under the threat of FTC action if they were not hired. The Oversight Committee chairman, Darrell Issa (R.- Calif.), reportedly was criticized by Senator Jay Rockefeller (D. - W. Va.) for inappropriately assisting LabMD’s lawyer because the lawyer was a former member of Issa’s staff.

The trial in the FTC’s administrative action stalled after key witness and former Tiversa employee Rick Wallace invoked his Fifth Amendment right against self-incrimination and approached the Oversight Committee with allegations that Tiversa may have manipulated information it gave the FTC regarding LabMD’s security practices. The administrative law judge ruled on August 22 that no action from LabMD is required until the Oversight Committee either grants or denies immunity to Wallace for his testimony to the committee or in the administrative proceedings. On August 14, LabMD asked the administrative law judge for sanctions against the FTC, accusing Tiversa of stealing the LabMD client data at issue and the FTC of failing to authenticate the data it received during its “secretive relationship” with Tiversa. The judge has yet to rule on LabMD’s motion for sanctions.