An administrative law judge dismissed a data security enforcement proceeding the Federal Trade Commission filed against LabMD alleging the medical testing laboratory failed to reasonably protect the security of consumers' personal data.
Here are seven things to know about the case and the dismissal.
1. Chief Administrative Law Judge D. Michael Chappell dismissed the FTC's charges, finding the complaint counsel did not prove LabMD's failure to employ reasonable data security caused or was likely to cause substantial injury to consumers.
2. "At best, Complaint Counsel has proven the 'possibility' of harm, but not any 'probability' or likelihood of harm," according to the judge's initial decision. "Fundamental fairness dictates that demonstrating actual or likely substantial consumer injury…requires proof of more than the hypothetical or theoretical harm that has been submitted by the government in this case."
3. The FTC has submitted various incidences where LabMD information was publicly available. One instance had certain insurance files available for sharing through file sharing site LimeWire. In another incident, the Sacramento (Calif.) Police Department found documents containing personal information and copied checks in a house, whose occupants had conducted utility billing theft.
4. The initial decision says the evidence presented in the case does not show any consumer suffered any substantial injury as a result of the alleged misconduct. Additionally, the initial decision does not uphold the FTC's complaints that there is a likelihood of substantial injury for all consumers whose information is contained on LabMD's networks because the presented evidence does not demonstrate LabMD's network will be breached in the future. "While there may be proof of possible consumer harm, the evidence fails to demonstrate probable, i.e., likely, substantial consumer injury," according to the initial decision.
5. The National Law Review indicates the decision will likely be appealed.
6. Additionally, the ruling may cause the FTC to think twice before seeking legal action against companies. "This decision brings the conventional wisdom into doubt by requiring a strong showing that the data security practice are likely — not just possible — to cause substantial harm to consumers, and the FTC will now need to show more than just embarrassment or other emotional harm," according to The National Law Review.
7. Although the case was dismissed, a Wall Street Journal report suggests LabMD ended up on the losing end of the case. The Atlanta-based company went out of business in 2014, citing "reputational damage" and the costs of the federal investigation as reasons for its closure, according to WSJ.
More articles on security:
Health IT tip of the day: Internal and external threats look different — plan for both
What HIPAA doesn't cover
7 critical steps to securely move patient data to the cloud