LabMD Case: House Committee Gets Involved

Yet Another Development in FTC Security Dispute
LabMD Case: House Committee Gets Involved

The House Committee on Oversight and Government Reform has notified the Federal Trade Commission that it is investigating Tiversa, a peer-to-peer intelligence and security services firm at the center of the ongoing data security dispute between the FTC and medical test lab firm LabMD.

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

Meanwhile, an FTC administrative trial examining the data security practices of LabMD is on hold. Since last August, the FTC has been pursuing an enforcement action against the Atlanta-based medical test lab for alleged unfair business practices related to two separate data security incidents that occurred in 2008 and 2012. The agency alleges that the incidents collectively exposed the personal information of approximately 10,000 consumers.

In a June 11 letter to FTC Chairwoman Edith Ramirez, committee chair Darrell Issa, R-Calif., notes that the FTC has relied on Tiversa "as a source of information" in the agency's enforcement action against LabMD. "However, information the committee recently obtained indicates that testimony company officials provided to federal government entities may not be truthful."

The committee letter refers to testimony by Tiversa employees related to the source of an alleged LabMD spreadsheet containing insurance billing information for 9,000 consumers that Tiversa says it discovered unsecured on a peer-to-peer network in 2008.

That allegedly unsecured spreadsheet document plays a crucial role in FTC's complaint against LabMD. "Misuse of such information can lead to identity theft and medical identity theft, and can also harm consumers by revealing private medical information," according to the FTC.

"The committee's ongoing investigation has shown that competing claims exist about the culpability of those responsible for the dissemination of false information. It is clear at this point, however, that the information provided to the FTC is incomplete and inaccurate," the letter says. "The committee brings this matter to your attention because this information bears directly on the ongoing proceedings against LabMD."

The committee is considering next steps in regard to its own investigation, including the possibility of holding hearings and perhaps hearing certain testimony in a closed session.

Case Details

Besides the spreadsheet allegedly found by Tiversa, the FTC's case against LabMD also points to a second incident, in which the FTC alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," the FTC says.

The FTC has proposed an order against LabMD that would prevent future violations "by requiring the company to implement a comprehensive information security program and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."

LabMD has been fighting the FTC's enforcement action since it was brought last August, arguing that the FTC has overstepped its authority related to the medical lab test's data security (see FTC vs. LabMD: Next Battle Begins).

LabMD's CEO Michael Daugherty has said that resources the company has dedicated in its legal battle with FTC has forced the firm to wind down most of its business operations.

The ongoing FTC administration trial, or evidentiary hearing, that started on May 20 aims to determine whether LabMD's data security practices violated Section 5 of FTC regulations related to unfair business practices.

As a result of the committee letter, the trial has again been put on hold. It was put on hold on June 2, when a Tiversa attorney disclosed during the hearing that the company had been notified about a House committee investigation. The trial resumed on June 12, only to be put on hold again after the House committee letter about the Tiversa investigation was sent to the FTC.

The FTC, Tiversa and the House Committee did not respond to Information Security Media Group's request for comment.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.