ATLANTA (CN) - A medical-testing lab cannot enjoin claims by the Federal Trade Commission that it failed to protect patients' personal information, a federal judge ruled.
LabMD had been a small medical laboratory in Atlanta that provided cancer-detection testing to doctors' offices but said costs related to an ongoing FTC battle shut it down earlier this year.
Indeed an administrative trial is scheduled to kick off this week related to a 2010 investigation by the FTC into LabMD's data-security practices, based on claims that the laboratory had failed to protect confidential information doctors had provided about their patients.
In 2013, the FTC brought an administrative complaint against LabMD, alleging the company may have engaged in "unfair acts or practices" in violation of the Federal Trade Commission Act by allowing patient information to be shared with the public on a peer-to-peer file sharing network.
Regulators said the lab's failure to secure sensitive data such as patients' names, Social Security numbers, birth dates and medical history information had harmed consumers.
The vulnerability stemmed from the installation on a work computer of the peer-to-peer file-sharing application Limewire by LabMD's billing manager, the FTC said. This allegedly gave Limewire users access to a file containing personal information for more than 9,300 consumers. Police in Sacramento, Calif., had found LabMD patient information in the possession of identity-theft suspects, according to the administrative complaint.
LabMD sought to dismiss the complaint on the basis that the agency lacks authority over the data-security practices of private companies. The commission meanwhile argued that it had the power to investigate data-security claims that were likely to cause substantial injury to consumers, especially when consumers could not protect themselves.
While waiting for an administrative law judge to rule on the commission's claims, LabMD sued the FTC in Washington, D.C., seeking to have a federal judge enjoin the enforcement action. It also asked the 11th Circuit to stay the administrative proceedings.
After the 11th Circuit dismissed the petition for lack of jurisdiction, the lab voluntarily dismissed its federal complaint before the D.C. court, and filed a similar one in Atlanta.
The new complaint alleged that the FTC had abused it statutory authority by trying to regulate the data security practices of a private company, that its actions violated due process and the Administrative Procedure Act, and that the enforcement action represents retaliation for public criticism of the agency made by LabMD's president.
LabMD argued that the commission could not pursue alleged security breaches involving information that doctors, not patients, had provided to the lab. What's more, the FTC had not published any requirements for the protection of patient information, according to the plaintiff.
LabMD again sought to enjoin the administrative action, and the FTC moved to dismiss for lack of jurisdiction and for failure to state a claim.
U.S. District Judge William Duffey ruled
last week that the federal court lacks jurisdiction over the lawsuit because the FTC's refusal to dismiss the administrative complaint against LabMD did not qualify as a final agency action that federal courts can review.
The commission's order is equivalent to a federal court's decision to deny a motion to dismiss, which does not end a case, but assures its continuation, the May 12 order states.
"The commission's denial of LabMD's motion to dismiss the administrative complaint is not a final agency action, and the FTC's decision to submit the commission's order to other courts as 'supplemental authority' is a litigation tactic that does not render final a Commission order that is not," Duffey wrote. "The possibility that LabMD may prevail on the merits ... will moot its judicial challenge and render it unnecessary for the court to intervene in an ongoing administrative proceeding."
LabMD had argued that the FTC investigation and administrative action had crippled its business and forced it to shut down its operations.
But Duffey noted that expenses and burdens associated with administrative proceedings are not legally recognized harms and thus do not justify intervention into an administrative agency action.
What's more, LabMD CEO Michael Daugherty had testified that LabMD stopped providing cancer-detection services in January 2014, four years after the FTC had begun its investigation of the lab. Daugherty had also conceded that the implementation of the Affordable Care Act, and its resulting effects on costs and the lab's customer base had hurt LabMD's operations, according to the ruling.
As for LabMD's constitutional claims, Duffey found they were not ripe for review because the agency had not reached a final decision.
LabMD can have its jurisdictional challenge reviewed in the Court of Appeals, if necessary, the court concluded.
Duffey's order Wednesday.
Representatives for CEO Daugherty did not respond to a request for comment.