In a letter to the Federal Trade Commission, a congressional committee is questioning the agency's complaint against medical testing laboratory LabMD Inc., suggesting that it may have relied on inaccurate information in launching a database security investigation against the company.
The FTC filed a complaint against Atlanta-based LabMD Inc. in August 2013, charging that the company had failed to reasonably protect the security of consumers' personal data, including medical information. The complaint charged that in two separate incidents, LabMD collectively exposed the personal information of about 10,000 consumers.
In the most recent development in that case, according to FTC's website, the agency filed a motion on June 6 in opposition to LabMD's motion to dismiss the case.
In March, the laboratory, which closed in January, had sued the FTC in U.S. District Court in Atlanta, accusing the FTC of an “unconstitutional abuse of power” for its investigation of the company's data security practices. That case was dismissed by the court on May 13.
In a letter Tuesday to FTC acting Inspector General Kelly Tshibaka, Rep. Darrell Issa, R-Calif., who is chairman of the House Oversight and Government Reform Committee, said the committee is investigating the activities of Pittsburgh-based intelligence and security firm Tiversa Inc.
According to the letter, in 2008 Tiversa “allegedly discovered a document containing the personal information on thousands of patients on a peer-to-peer network” and contacted LabMD, offering its “remediation” services through a professional services agreement.
When LabMD did not accept Tiversa's offer, Tiversa later provided the FTC with a document it created that included information about LabMD among other companies. “Apparently Tiversa provided information to the FTC about companies that refused to buy its services,” says the letter.
“In addition to concerns about the merits of the enforcement action with respect to the FTC's jurisdiction, the committee has substantial concerns about the reliability of the information Tiversa provided to the FTC, the manner in which Tiversa provided the information, and the relationship between FTC and Tiversa,” says Rep. Issa's letter.
The letter asks that the FTC examine issues including procedures for receiving information that it uses to bring enforcement actions.
Spokesmen for the FTC and Tiversa could not immediately be reached for comment.
Aaron K. Lancaster, counsel at law firm Dickstein Shapiro L.L.P. in Washington, said while it is hard to say what the facts are at this point, “it would certainly be unfortunate if inaccurate information did play a role in the FTC's decision” to begin an investigation.
“The big issue is whether the FTC has authority to regulate information security, including with respect to” the entities covered by the Health Insurance Portability and Accountability Act of 1996, said Adam Greene, a partner with Davis Wright Tremaine L.L.P. in Washington, who specializes in counseling health care systems and technology companies on compliance with HIPAA's privacy, security and breach notification requirements.
“All of this may just prove to be a distraction from the ultimate question of whether LabMD can successfully challenge the FTC's authority, although it does have the potential to undermine people's trust in how the FTC is enforcing its statutory authority,” said Mr. Greene, who is not involved in the case.
“Part of the issue is an alleged lack of guidance and clarity as to the FTC's information security expectations, and I think a big question is, is the (health care) industry better off with that clarity, the problem being that the health care industry may not like a more detailed framework if one was established,” he said.
Observers have said a ruling by a federal judge in April in a comparable case, Federal Trade Commission v. Wyndham Worldwide Corp et. al., firmly establishes the FTC's authority to oversee companies' practices to secure customer information. The Parsippany, New Jersey-based Wyndham hotel chain is appealing that ruling.