LabMD breach case more fuel for on-going-harm debate

When, and how many times, is a consumer harmed in a data breach and when does liability end for the company breached?

An administrative law judge who dismissed an FTC complaint last week against a health-care company accused of losing consumer personal data highlights the on-going complexities of determining how consumers are harmed by a data breach and the accountability of the companies involved.

READ THIS

2015's scariest data breaches: CVS, Anthem, IRS, and worse

Updated: Almost every American has been affected by at least one data breach this year.

Read More

The rub has been whether consumers can claim on-going harm, as in their stolen data being used in future hacks to cause additional heart ache, a post-breach practice that has been going on for years. Courts had been adamant about not allowing consideration of future harm, and limiting decisions to the specific breach incident, but cracks have started to form recently.

Now comes a ruling in the seven-year-old case of LabMD and allegations brought in 2013 by the Federal Trade Commission (FTC) that the company, which stored personal-health data and medical records, failed to maintain adequate computer security and its practices were likely to harm consumers. Michael Chappell, the FTC's chief administrative-law judge last week dismissed the case against LabMD.

According to a press release at FTC.gov, Chappell found, among other issues, the FTC did not prove "that the exposure or limited exposure of some LabMD documents in 2008 has caused, or is likely to cause, any substantial consumer injury (whether identity-theft-related harm or otherwise.)

The tone of his decision has been the norm in data theft and breach cases, including class-action lawsuits.

Health care records, however, are some of the most sought after records on the black market, worth 10 times more than a credit card number, according to Reuters.

Sought after data includes names, birth dates and policy numbers - like those that allegedly went missing from LabMD in 2008. Providers are defrauded when the data is used to create fake IDs to buy medical equipment or drugs that are resold. Patient data can be used to file fake claims with insurers.

Those sorts of attacks are the second (and profitable) step after the initial data breach and provide the real payoff for hackers and pain for data owners.

The FTC's complaint alleged that a LabMD report containing records of 9,300 patients, -- including names, dates of birth, Social Security numbers, and health insurance policy numbers -- ended up on a file-sharing site. In a second alleged incident, data from LabMD computer networks ended up in the hands of individuals who eventually pleaded "no contest" to identity theft charges.

Opinions on future harm differ, however.

A National Law Review article said the judge's ruling in the LabMD case may "cause the FTC to 'pump the brakes' a bit when considering when to bring enforcement actions based solely on alleged lax data security."

In August, Electronic Privacy Information Center attorney Alan Butler told Wired magazine, "This is a huge victory for the FTC, but also for American consumers" when a U.S. appellate court ruled the FTC could sue Wyndham Hotels over computer system hacks that exposed 600,000 customer records in 2008 and 2009.

LabMD and Wyndham Hotels are the only two companies not to settle when facing an FTC data security enforcement action under Section 5 of the Federal Trade Commission Act.

The LabMD decision is likely to be appealed and the outcome could turn the tide on future FTC and legal action in data theft and breach cases.

Ken Dort, a partner at Drinker Biddle & Reath, told the Modern HealthCare website if the judge's decision is reversed it will "open the doors to more activity." If the LabMD decision in upheld, it means that harm in future cases will be narrowly defined, he said.

Either way, the bottom line is enforcement has to be accurate and swift. In 2014, LabMD went out of business near the end of the seven-year case. If they are eventually cleared of wrong-doing, then the FTC will have to answer for its tactics. And the course of defining legal implications of breaches will take a step backward.

"After years of investigation and enforcement action, the FTC never produced a single patient or doctor who suffered or who alleged identity theft or harm because of LabMD's data-security practices," Dan Epstein, executive director of Cause of Action, a government watchdog that represented LabMD wrote in a Wall Street Journal article.