PITTSBURGH - A successful laboratory testing firm has been reduced to a shell of a company after the illegal actions of a cybersecurity provider that reported a data breach that it also allegedly caused to the Federal Trade Commission, according to a recent federal lawsuit.
The provider's actions caused an FTC investigation that decimated the company's solvency, according to a defamation suit filed Jan. 21 at the U.S. District Court for the Western District of Pennsylvania.
The remaining executives with LabMD seek millions in damages from Tiversa, Inc., and its CEO Robert Boback. The complaint charges the defendants with eight counts, including fraud, civil conspiracy and violations of the Racketeer Influenced and Corrupt Organizations Act.
According to the complaint, filed in federal court by lawyers from Fox Rothschild's office in Pittsburgh, Boback allegedly instructed Tiversa employees to hack into LabMD servers in Atlanta, then attempted to sell LabMD officials security software to protect itself from data breaches. When the company declined the offer, Boback reported the breach to the FTC, the suit says.
In August 2013, the FTC filed a complaint against LabMD, alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information. The complaint alleges that in two separate incidents, LabMD collectively exposed the personal information of approximately 10,000 consumers.
The complaint alleges that LabMD billing information for more 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of at least 500 consumers were found in the hands of identity thieves.
The commission’s complaint alleges that LabMD failed to take reasonable and appropriate measures to prevent unauthorized disclosure of sensitive consumer data – including health information – it held.
Among other things, LabMD allegedly:
-Did not implement or maintain a comprehensive data security program to protect this information;
-Did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information;
-Did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs;
-Did not adequately train employees on basic security practices; and
-Did not use readily available measures to prevent and detect unauthorized access to personal information.
An administrative trial is slated to resume in March 3. The U.S. Court of Appeals for the Eleventh Circuit dismissed on Jan. 20 LabMD's appeal of a lower court's ruling that the FTC had subject-matter jurisdiction. The appeals court said that a decision must be made in the administrative trial before it can be appealed.
According to LabMD's complaint against Tiversa, a congressional investigation has been launched against the cybersecurity firm following accusations that the firm had been using threats to report potential clients to the FTC as leverage to close contracts.
“Tiversa was benefiting commercially from the fact that the FTC was investigating the companies that Tiversa itself referred to the FTC,” U.S. Rep. Darrell Issa, R-Calif., said in a letter to the FTC. "Information the Committee recently obtained indicates that the testimony provided by company officials to federal government entities may not have been truthful."
The complaint says that Boback contacted LabMD executives by phone several times between May and June 2008, claiming that Tiversa obtained a 1,718 page file containing sensitive data from a peer-to-peer file sharing network.
After the refusal to enter into a services agreement with Tiversa, Boback contacted officials at the FTC and alerted them to the data breach, the complaint says. According to the complaint, Boback recently admitted to the House Oversight Committee that his claims to the FTC falsely misrepresented how he obtained the file.
Nevertheless, the complaint says, Boback's report proved to have devastating consequences for LabMD. The bad publicity and the burdensome demands imposed on LabMD to comply with the FTC’s demands for access to current and former employees and the production of thousands of documents forced LabMD’s insurers to cancel all of the insurance coverage for LabMD and its directors and officers, the company claims.
LabMD lost virtually all of its patients, referral sources, and workforce, which had included around 40 full-time employees.
"LabMD was effectively forced out of business by January 2014," the complaint says, "and now operates as an insolvent entity that simply provides records to former patients."