TRENDING:

LabMD Seeks Sanctions Against FTC

Lab Test Firm Alleges FTC Had 'Secretive Relationship' with Tiversa Marianne Kolbasuk McGee (HealthInfoSec) • August 18, 2014    
LabMD Seeks Sanctions Against FTC

In the latest legal maneuver in the ongoing battle between LabMD and the Federal Trade Commission, the medical testing firm has asked an FTC administrative judge to sanction FTC for allegedly having a "secretive relationship" with Tiversa, the data security firm that provided alleged evidence that kicked off the dispute.

See Also: Deception-Based Threat Detection: Shifting Power to the Defenders

The sanctions sought by LabMD include dismissal of the case with prejudice and an award of LabMD's reasonable attorneys' fees and costs, according to documents filed on Aug. 14 by attorneys representing the Atlanta-based medical test lab firm.

"A shoddy pre-complaint investigation does not necessarily undermine the integrity of the adjudicative process in such a way that sanctions should always follow, though the law authorizes punishing agencies for such conduct," says the LabMD court filing. "And FTC's investigation of LabMD was certainly shoddy."

Case Details

The dispute centers on a complaint filed by the FTC against LabMD last August, alleging the firm failed to protect consumer health data in two separate incidents - one in 2008 and another in 2012. FTC alleges the incidents collectively exposed the personal information of approximately 10,000 consumers (see LabMD CEO Describes His Beef With FTC).

The larger of the two incidents, which FTC alleges affected 9,000 individuals, involved an unsecured spreadsheet containing insurance billing information that was allegedly found on a peer-to-peer network in 2008 by Pittsburgh-based Tiversa, a security intelligence firm.

LabMD twice turned down Tiversa's offer to provide more information to the lab company about the file - if LabMD signed up for security services for $475 an hour, according to LabMD CEO Michael Daugherty. He testified at a July 24 House Committee on Oversight and Government Reform hearing examining FTC's pursuit of unfair and deceptive trade practice case involving alleged data security incidents (see Examining FTC's Data Security Enforcement).

LabMD alleges that after its offer was declined, Tiversa then turned over the information about the supposed security incident to the FTC. The commission's enforcement action against LabMD alleges unfair and deceptive business practices related to the medical test lab's data security practices, based largely on information about the incident that Tiversa turned over to FTC.

Last August, the FTC proposed an order against LabMD that would prevent future violations by requiring the company to implement a comprehensive information security program and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the lab firm to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies.

Committee Involvement

LabMD opposed that FTC enforcement action and has been fighting FTC's allegations in a FTC administrative trial - also called an evidentiary hearing - that began on May 20. However, that case has been on hold since June, pending whether the House Committee on Oversight and Government Reform will grant immunity to a former Tiversa employee who provided information at an earlier closed "proffer" session about the security firm's business practices.

So far, the Oversight Committee has not granted the witness immunity. The committee is now on recess with Congress until Sept. 8. However, in administrative court documents filed by the FTC on Aug. 5, the commission is pushing to resume the evidentiary hearing, using its own legal maneuver that could order LabMD to file a request requiring the Tiversa witness to testify and granting immunity.

"If [LabMD's] counsel fails to file a request for such an order within 14 days...[FTC] counsel respectfully moves that this court resume the evidentiary hearing so [LabMD] can complete its case and this court can proceed toward rendering a decision in this matter," says the Aug. 5 FTC court documents.

Rather than filing the request sought by FTC, and facing the prospect of the administrative trial resuming soon, LabMD is instead seeking the motion for sanctions against FTC, including having the case dismissed.

According to the Aug. 14 documents, among other allegations, LabMD claims that FTC "never independently verified the origin of or chain of custody" for the spreadsheet allegedly found by Tiversa on a peer-to-peer network. LabMD also says it's seeking sanctions "because [of] FTC's secretive relationship with Tiversa and the Privacy Institute," a separate entity that LabMD alleges Tiversa created while working with the FTC to transfer information about data security incidents.

LabMD alleges in its latest court documents that the FTC's "failure to do anything to authenticate or have a chain of custody for the [spreadsheet] before commencing this case are unduly and dangerously corrosive to the most fundamental principles of administrative process integrity."

The latest LabMD court documents also allege that "Tiversa was benefiting commercially from the fact that the FTC was investigating the companies that Tiversa itself referred to the FTC ... thus opening up the possibility that Tiversa manipulated the FTC in order to enrich themselves."

LabMD also says that, "FTC repeatedly has refused to reveal the full extent of its collaboration with Tiversa. It seems, however, that the relationship was and remains quite close."

In a June 17 letter to the FTC's acting inspector general. Kelly Tshibaka, House Oversight Committee Chair Darrel Issa, R-Calif., asked for clarification from the FTC about its relationship with Tiversa.

In a statement to Information Security Media Group, a Tiversa spokeswoman says, "Tiversa has no relationship with the FTC other than to provide information when required to do so. Any statement alleging anything else is completely false."

The FTC declined ISMG's request for comment on the LabMD case. The FTC inspector general's office and the House Oversight Committee did not reply to ISMG's requests for comment.

In June, Daugherty testified to the committee that due to the costs and resources LabMD has spent in fighting its FTC case, the company was forced to shut down most of its operations earlier this year (see Lab Shutting Down In Wake of FTC Case).

Previous
Supermarket Chain Reveals New Breach
Next
Experts Raise Doubts About MonsterMind

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.



Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.