This is a rather different story of a cyber breach than what we usually write about. Instead of a company pitted against an unknown hacker whose identity will probably never be known, this one is about the cyber fight of one company, LabMD, with another, Tiversa. It started nearly ten years ago, and the saga continues today. As one recounting of this struggle explained: “A leak wounded [LabMD]; fighting the Feds finished it [LabMD] off.”
Back in 2008, LabMD, a medical testing lab, had about 30 employees and $4 million in annual sales. In May of that year, Tiversa, a web security company, called LabMD with information on an alleged breach. Tiversa told LabMD that it had obtained a file from LabMD‘s computer system containing patient information.
Tiversa sent the document to LabMD, which included more than 9,000 patients’ Social Security numbers. Tiversa told LabMD that it could investigate the breach, locate the cause, determine the extent of the damage, and then stop further spread of the information. LabMD investigated the breach on its own, and discovered that a single employee had (in violation of company rules) downloaded music file sharing software on her work computer. At the end of its month-long investigation, LabMD concluded that the information had not spread.
During this time, Tiversa continued to contact LabMD, claiming it was detecting searches for and downloads of the file. LabMD asked for details, but Tiversa wouldn’t provide any until LabMD signed up for Tiversa‘s services – at $475/hour. Tiversa was no fly-by-night firm: For a time, retired US Army General Wesley Clark was one of its advisors. By July of 2008, LabMD declined further solicitations and told Tiversa to direct all communications its lawyers.
In the fall, Tiversa informed LabMD’s attorney that it was worried about being sued for not reporting the LabMD situation to the Federal Trade Commission (FTC). In early 2010, the FTC notified LabMD that it was conducting an inquiry, asserting that the file in question was available on a peer-to-peer file sharing network. And that was really the beginning of the end for LabMD.
As early as 2000, the FTC had stated that data breaches were subject to FTC jurisdiction per Section 5 of the FTC Act – which prohibits unfair or deceptive acts or practices affecting commerce. The first settlement was with online pharmacies. Since then, more than 60 cases have been brought by the agency. Apparently, LabMD is the only company who refused to settle with the FTC, and it would cost them dearly.
At first, the man who ran LabMD, Michael Daugherty, tried to be cooperative with the FTC in an attempt to resolve the matter. In a published interview, he has stated that he now calls that phase “the stupid zone.” At one point, he shipped 5,000 pages of documents to FTC headquarters in Washington, DC, even though the agency asked that everything be sent via FedEx, an extremely expensive method for moving that many documents. Eventually, Daugherty and his lawyer met with two FTC lawyers in July, and they sent more documents to the FTC in August.
In 2011, the FTC called again, requesting sworn testimony. At the urging of its counsel, LabMD’s hired Washington attorneys. The DC lawyers assumed control, but by then LabMD had spent nearly $250,000 on cyber security and system upgrades. And the company’s plight was about to go from bad to worse.
*AN IMPORTANT NOTE: The facts as summarized in this blog post are all according to published reports, and this blog post is only a synthesis of published reports on the subject. There is ongoing litigation, and each side contests the other’s position. This blog post is based in large part on Dune Lawrence’s detailed article “A Leak Wounded this Company. Fighting the Feds Finished It Off” in the April 25, 2016, issue of Bloomberg Businessweek.