TRENDING:

Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

LabMD's FTC Trial: Congressional Probe's Role

House Committee's Letters Allowed as Evidence Marianne Kolbasuk McGee (HealthInfoSec) • February 18, 2015    
LabMD's FTC Trial: Congressional Probe's Role

When a Federal Trade Commission administrative trial on the data security practices of medical testing firm LabMD resumes March 3 after a long delay, an FTC judge could consider questions raised by a Congressional panel regarding Tiversa, a security firm at the center of the case.

See Also: The Alarming Data Security Vulnerabilities Within Many Enterprises

The FTC filed a complaint against LabMD in August 2013, alleging the Atlanta-based lab firm failed to protect consumer health data in two separate incidents. The FTC alleges the incidents - including the one allegedly discovered by Tiversa - collectively exposed the personal information of approximately 10,000 consumers.

LabMD, which is fighting Tiversa in a separate lawsuit it filed against the security firm in January, shut down most of its operations early last year, citing legal expenses and related resources that the lab has sunk into the its battle to avoid FTC sanctions.

Committee Findings

FTC Chief Administrative Law Judge Michael Chappell, who is presiding over the FTC case against LabMD, on Feb. 12 ordered that two letters from the U.S. House Committee on Oversight and Government Reform to FTC Chairwoman Edith Ramirez be allowed as exhibits in the case.

One of the letters, sent to Ramirez on Dec. 1, 2014, and signed by former committee chair Darrell Issa, R-Calif., summarizes key findings of the committee's investigation into Tiversa, which in 2008 allegedly found a LabMD spreadsheet containing insurance billing information for 9,000 individuals on a peer-to-peer network.

The Dec. 1 letter from Issa calls into question the accuracy and completeness of information that Tiversa provided to the FTC about the company's alleged discovery of the LabMD spreadsheet file.

"The committee has obtained documents and information indicating that Tiversa failed to provide full and complete information about work it performed regarding the inadvertent leak of LabMD data on peer-to-peer computer networks," Issa says in the letter. "In fact, it appears that in responding to an FTC subpoena issued on Sept. 30, 2013, Tiversa withheld responsive information that contradicted other information that it did provide about the source and spread of the LabMD data, a billing spreadsheet file."

The committee's letter to Ramirez lists a number of examples of how Tiversa allegedly withheld from the FTC pertinent or complete information about the company's discovery of the LabMD data. That includes Tiversa allegedly withholding documents from the FTC that allegedly contradict testimony that Tiversa CEO Robert Boback provided to the FTC about the LabMD case.

Chappell also admitted as an exhibit in the case a June 11, 2014, letter to the FTC from Issa that informed the FTC that the committee was investigating Tiversa. In that letter, Issa noted that the FTC has relied on Tiversa "as a source of information" in the agency's enforcement action against LabMD. "However, information the committee recently obtained indicates that testimony company officials provided to federal government entities may not be truthful" (see LabMD Case: House Committee Gets Involved).

In his ruling, however, Chappell admitted the committee's letters "for certain limited purposes" in the case. For instance, Chappell wrote in his order: "It should be noted that there is no dispute as to the authenticity of the [committee] letters and the receipt of the letters by the FTC." However, material that the committee submitted along with its letters, including internal Tiversa documents, was not allowed by Chappell to be admitted as exhibits to the case.

Tiversa CEO Responds

In a statement provided to Information Security Media Group, Tiversa CEO Boback says, "Tiversa looks forward to the conclusion of the trial as our involvement in it has been quite bizarre to say the least. Frankly, the trial is between FTC and LabMD and should not even include Tiversa. In my opinion, LabMD and/or its counsel has gone to great lengths to try to drag Tiversa into this while impugning our character and reputation."

Boback alleges that insider relationships kicked off the committee's investigation into Tiversa.

"It is important to note that it is our understanding that the OGR [Oversight and Government Reform Committee] investigation was started because LabMD's counsel, Cause of Action, used its relationships in OGR - the CoA founder and current LabMD attorney, Dan Epstein, worked for OGR immediately before founding CoA - to start the investigation of Tiversa," Boback contends.

Boback also stresses: "The OGR investigation into Tiversa is over, and no evidence of wrongdoing was ever shown to us."

In a statement provided to ISMG, Cause of Action's Epstein says: "The information disclosed by Congress demonstrates that FTC's claims about LabMD's data security, and the alleged 'consumer harm' that supposedly was likely to result therefrom, are based on false information from Tiversa. Therefore, we again call on FTC to fully disclose its relationship with Tiversa with respect to the LabMD enforcement action, including all communications between FTC's staff and Tiversa's principals and employees, to protect the integrity of FTC's enforcement proceedings and to ensure the whole truth comes out."

The Oversight and House Oversight Committee did not respond to a request for comment on Boback's assertions.

FTC's Complaint

Besides the spreadsheet allegedly found by Tiversa on a peer-to-peer network, the FTC's case against LabMD also points to a second incident, in which the commission alleges that in 2012, police in Sacramento, Calif., found LabMD documents in the possession of identity thieves. "The documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers," says the FTC complaint.

The commission had proposed an order against LabMD that would "require the company to implement a comprehensive information security program, and have that program evaluated every two years by an independent, certified security professional for the next 20 years. The order would also require the company to provide notice to consumers whose information LabMD has reason to believe was or could have been accessible to unauthorized persons and to consumers' health insurance companies."

LabMD has argued that the FTC was overstepping its authority in the data security investigation and issuing the proposed order. The lab firm has taken a number of legal actions over the last year to refute the FTC's case.

In January, the Eleventh Circuit Federal Court ruled that LabMD must first wait for the FTC administrative court to make a decision in its trial before a federal court can review the issue of whether the FTC had authority in the case.

Michael Daugherty, LabMD's CEO, says he's pleased that the FTC administrative judge has allowed the oversight committee's letters as exhibits in the case.

"This is just the beginning of the truth and facts coming out," he tells Information Security Media Group.

The FTC did not respond to ISMG's request for comment.

Previous
Third-Party Breaches: Eyeing the Risks
Next
Secure Domains: The DNS Security Debate

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.



Around the Network

Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.