A small Atlanta cancer testing laboratory and its owner are at the center of a legal battle over who should protect private patient health information and how such data should be safeguarded.
The firm, LabMD, is accused by the Federal Trade Commission of leaving personal information unguarded. Its owner, Michael Daugherty, denies that and says he has basically been hounded out of business by the agency.
“The FTC is all about running the prisoner until he drops,” Daugherty said of the case. “This is nothing more than a torture trick to drain your resources so you can’t get to court.”
The outcome of the case could affect the way health care providers and medical companies secure data such as Social Security numbers, birth dates and medical treatment codes, privacy experts say.
LabMD tested tissue samples for bladder and prostate cancer, sent to it by doctors from around the nation. An FTC complaint says personal information for more than 9,000 LabMD patients was found on a peer-to-peer file sharing computer network by a third-party cyber-security firm in 2008.
The file was forwarded to the agency during a broader investigation of personal records security.
LabMD contends the patient information was not available to the general public, and that no data breach occurred. It rejected an FTC plan to revamp its security program, which it said was strong, and the matter has been batted about in legal proceedings ever since.
The case went before an FTC administrative law judge last week but could eventually be headed to the federal court system and may take years to resolve.
The case is being watched closely. At a time of rising concern about electronic data security breaches such as the one that enveloped retailer Target last year, the safety of medical records, in particular, has attracted growing attention. Last month, the FBI told hospitals and doctors their security systems lag those of other industries and that their patients’ personal data is at risk.
The issue is particularly relevant in metro Atlanta, observers say, because the area has a large medical industry. Health care companies could end up spending considerably more time and money on patient data security than they do already if the FTC continues to pursue the issue, and if it doesn’t offer clear guidelines.
Daugherty and some privacy experts question the FTC’s role in seeking to protect privacy. They have said a decision against the company could have a precedent-setting chilling effect on health care businesses, especially smaller ones, which may not be able to comply with additional regulations.
Daugherty plans to persist in the FTC case even though he is now the only employee at the privately-held company he launched in 1996, down from 30. The company has stopped tissue testing.
The investigation, he said, “ripped the soul out of (his) organization. Key people left.”
Daugherty contends that health privacy is the domain of the Department of Health and Human Services and is regulated under Health Insurance Portability and Accountability Act (HIPAA) laws. He said the FTC also does not have specific rules in place on health privacy, making compliance uncertain.
Michele Madison, an attorney who specializes in health care and health care IT at Atlanta law firm Morris Manning Martin, which is not involved in the case, said of the FTC’s action, “It’s very ambiguous. They’re saying, ‘Your data security is inadequate.’ The question is, what FTC data security standards define what is adequate?
“As an individual, you want your data protected,” Madison said. “At the same time, as a company, you want to know what the standards are that you have to meet.”
The FTC isn’t specifically commenting on the case. But Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said, “The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users.”
Daugherty said he’s spent more than a half-million dollars on the case so far. He’s had help from Cause of Action, a non-profit group that said it got involved to help a small business with limited resources fight back against unfair regulation.
“I don’t think Congress intended for the FTC to regulate HIPAA,” said Daniel Epstein, the group’s executive director. “If it wanted to, they could authorize a law to do so.
The LabMD patient data cited by the FTC was found by a Pennsylvania data security company, Tiversa. How the data was found is the subject of a separate, complex legal skirmish.
Tiversa said it found the LabMD file while conducting an unrelated search of peer-to-peer file sharing networks on behalf of a client. It said the LabMD file it found in that search contained patient Social Security numbers, insurance information and treatment codes.
Tiversa said it did not download the file directly from a LabMD computer. It said the file was publicly available because of LabMD’s use of file sharing software.
Daugherty disputes that.
“A breach means the file is out of control,” he said. “The file has never been out of control. The file wasn’t and isn’t out there.”
He has publicly criticized Tiversa and its CEO, Robert Boback, in a book he wrote about the events around the investigation, “The Devil Inside the Beltway.” They have sued him for slander and defamation in turn.
Daugherty said LabMD had extensive, high-quality data security measures in place at the time of the incident. None of the 9,000-plus patients whose personal information was harmed as a result, he said.
LabMD had another data security problem, but that involved paper records that were stolen during a company move, not electronic records on a computer, Daugherty said. In 2012, police in California found the records of at least 500 LabMD patients in the possession of identity thieves.
Daugherty said while the ordeal has damaged his company and cost him hundreds of thousands of dollars, “The bigger picture is … is this going to make us more safe? I don’t think so.”
About the Author
