Dive Brief:

• The Eleventh Circuit dismissed a challenge by LabMD, a lab that performs cancer-detecting services, to the current Federal Trade Commission enforcement action regarding an alleged healthcare privacy breach. 
• The FTC discovered that LabMD patient information was available on a public peer-to-peer file sharing network and after investigation, filed an administrative enforcement action against LabMD; it claimed that LabMD violated the FTC Act by engaging in unfair acts or practice due to its failure to prevent unauthorized access to patient information. LabMD filed a motion to dismiss in a lower federal court in Georgia, and argued for the case to be dismissed because, it claims, the FTC doesn't have the authority to regulate PHI. 
• In recent years, the FTC has wielded its power to bring enforcement actions against healthcare services providers like LabMD and others for alleged privacy breaches.

Dive Insight:

Does the FTC have the right to regulate data breach? That's the question at the heart of LabMD's case, which will be an important one to pay attention to, as incidences of healthcare data breach grow more frequent.

And, as the National Law Review has pointed out, if the FTC has a statutory and constitutional authority to regulate in this arena under Section 5 of the Federal Trade Commission Act, then its investigation and enforcement of companies that commit "unfair" or "deceptive" cyber security practices is lawful. What happens next for LabMD is more waiting around for resolution: The Eleventh Circuit concluded that before a federal court will review the case, LabMD must first go through the FTC administrative hearing process until the FTC makes a final decision. After that, LabMD can ask federal courts to weigh in on the FTC's authority. 

The cost of breaches to the healthcare industry is estimated to be in the billions, but according to one 2013 study, only about 69% of organizations have a breach plan in place.