LabMD, a company that diagnoses cancer for physicians, is waging a true David vs. Goliath battle with the Federal Trade Commission. It is simple, clean and vicious, and LabMD is finally taking a pound of flesh out of the FTC.
In 2008, LabMD had a file taken from their possession containing over 9000 patient’s billing information . The FTC has not found a single victim and not one copy of the file can be found out in cyberspace. Nevertheless, since LabMD would not subject itself to the whims of the FTC by signing a twenty year consent decree, the FTC pounded LabMD into the ground with relentless subpoenas and depositions, terrifying current and former clients, physicians and employees, so that LabMD ceased medical operations in January of this year. Psychological warfare, draining financial coffers dry, and reputation assassination are just a few tactics in the FTC’s unsupervised playbook.
And I fought back hard. I wrote a book, The Devil Inside the Beltway, which exposed that the FTC was working with the hacker. They encouraged and enabled the hacker’s behavior and then took the hacker’s bounty and punished companies for being hacked. Zealots have no logic.
I knocked on doors all over Congress. A whistleblower contacted me to testify against the FTC and Tiversa. What he will say will probably shock no one and sadden many about what we already know to be true about the way our government behaves itself. That whistleblower has the FTC desperately playing back door and underhanded politics to prevent his getting immunity. Dirty. Dirty. Dirty.
How did the FTC get itself in this mess? Arrogance, entitlement and disrespect for American small business. The FTC lacks technical competency. When President Obama issued Executive Order 13636 creating a working group setting government data security standards for critical infrastructure, he gave the job to the Department of Commerce. When Congress wanted to protect sensitive personal health information, it gave the job to the Department of Health and Human Services. The FTC had no seat at either table.
Even so, the FTC has unilaterally decided that the FTC Act, which never uses the words “data security,” gives it the power to crash the party and regulate whomever it chooses. But though the FTC grabs regulatory authority it runs away from its responsibility to define, in an intelligible fashion, what “reasonable” data security means. Rather, it requires companies and their customers to guess what “reasonable” data security measures are in any given case based on a bizarre “common law” of consent orders, speeches, PowerPoint presentations, Spanish language flyers and random internet posts. They argue they don’t have to make rules or have standards. Such is the size of their arrogance.
The FTC abuses its power. My company, LabMD, provided cancer diagnosis services and once employed approximately forty people. At all times, we handled protected health information under HIPAA’s data security regulations. No one has ever complained that they were harmed by anything LabMD ever did, or did not do, with respect to data security. We know that the FTC asked the FBI to investigate an alleged LabMD data breach involving over 9,000 individuals, but that the FBI found nothing at all.
Despite this, the FTC decided HIPAA was not enough, and for reasons it refuses to disclose, singled out LabMD for enforcement action. It began investigating my company in January, 2010. It demanded and was given thousands of documents and access to current and former employees for sworn statements. It filed a complaint in August, 2013.
The relentless FTC, out to place our head on spike to scare all of you that are watching, tore the heart out of LabMD. We ceased diagnosing cancer in January, 2014. But at no point, until late March, 2014, when the government finally provided the company’s lawyers with an “expert” report, did the FTC tell LabMD how, exactly, its data security measures had failed to measure up.
All LabMD did was play by the rules, cooperate with the government and try and help physicians treat patients. Perhaps, if LabMD had hired a data security “consultant” with good ties to the FTC, who appeared on panels together with the FTC’s lawyers or who had the proper political connections, things would have turned out differently. But because the FTC recognizes no objective standards and eschews transparency about its enforcement decisions, here we stand. The FTC’s conduct proves only that nonsense is the regulatory coin of the realm inside the Beltway.