Cyberextortion by US gov, or simple P2P security lapse by medical firm?

Filed Under: Data loss, Featured, Law & order, Privacy

The ongoing data leak saga between medical firm LabMD and "The Man," in the form of the Federal Trade Commission (FTC) of the United States, has entered its next stage.

This is a curious story that would be amusing were its import not so serious.

If everyone who has contributed to the story is to be believed, it unfolded over a five year period, and goes something like this (remember, this is not necessarily what happened, but what has been variously alleged):

  • In 2008, Tiversa, a "Peer to Peer (P2P) intelligence services" company out of Pittsburg, Pennsylvania, finds a stash of Personally Identifiable Information (PII) from over 9000 patients of LabMD. Apparently, a 1,718-page spreadsheet of health insurance billing information was accessible via a P2P file sharing network.
  • LabMD, out of Atlanta, Georgia, declines to deal with Tiversa's complaint, on the grounds that Tiversa is using the data in its possession to shill LabMD into inking a deal for security consultancy.
  • In 2009, Tiversa decides to hand over the data to the authorities.
  • The FTC gets involved in 2010, asking LabMD to provide documents so it can review the case.
  • LabMD digs its heels in, refusing to agree to a so-called consent decree imposing to a security audit every two years for the next 20 years.
  • In 2011, the FTC begins a formal investigation.
  • LabMD files a petition to squash the investigation, on the grounds that Tiversa is an unobjective witness.
  • The FTC disagrees, though not without one dissenting opinion stating that "the commission should avoid even the appearance of bias or impropriety by not relying on [Tiversa's] evidence or information in this investigation."
  • On 29 August 2013, the FTC files a formal complaint against LabMD, for "failing to protect consumers' privacy."
  • On 17 September 2013 (which, of course, is the one part of the story that hasn't actually happened yet), Michael J. Daugherty, the CEO of LabMD, will publish a book about the saga so far, The Devil Inside the Beltway [*].

Daugherty's doughtily-named book claims to document "a government power grab and intimidation that if not for the fact that it is all real, would make for an a brilliant novel."

The book's marketing material says that what "began with medical files taken without authorization from a laboratory, turned into a government supported extortion attempt," and vows "to ensure that this does not happen to any other American."


I'm going to sit on the fence here, and decline to take sides (I'll leave that to you, our readers, in the comments below).

Instead, I'll just point out that there is one thing that doesn't seem to be in doubt: the fact that the offending data was, indeed, grabbable via P2P, five long years ago.

And, as the FTC very plainly points out in its latest communication on this issue:

P2P software is commonly used to share music, videos, and other materials with other users of compatible software. The software allows users to choose files to make available to others, but also creates a significant security risk that files with sensitive data will be inadvertently shared. Once a file has been made available on a P2P network and downloaded by another user, it can be shared by that user across the network even if the original source of the file is no longer connected.

How serious, then, can it possibly be that this data "got out" back in 2008?

How long does the risk last after a data leak?

Well, according to the FTC:

[I]n 2012 the Police Department [in Sacramento, California,] found LabMD documents in the possession of identity thieves. These documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers. The complaint alleges that a number of these Social Security numbers are being or have been used by more than one person with different names, which may be an indicator of identity theft.

Rather a long time, apparently.

[*] Inside the Beltway is a US English term meaning related to the federal government, its public service, and those who lobby it. It refers to Interstate Highway 495, the Capital Beltway, an orbital motorway that encircles the US federal capital, Washington DC.

Image of interlinked people courtesy of Shutterstock.

, , , , , ,

You might like

8 Responses to Cyberextortion by US gov, or simple P2P security lapse by medical firm?

  1. spryte · 762 days ago

    I am not a U.S. citizen and cannot say I am that familiar with U.S. laws, but I find it absitively amazing that:

    while the case seems to be still being decided.

  2. Kevin · 761 days ago

    So is the Center For Medicaid Services involved too? Sharing medical files on thousands of people is kind of a rather serious HIPAA violation.

  3. Scott · 761 days ago

    I have performed multiple FTC-directed post-breach security audits and have never done the first 1 of 10 without finding numerous critical security control deficiencies. However, mandating 20 YEARS (10 audits) of audits is overdoing it on the part of the FTC. I could agree with audits until all high and critical issues are found to be resolved - but 20 year's of forced FTC audits (quite detailed) exposes small companies to financial and operational burdens.

  4. W. H. Hayes · 761 days ago

    This story seems suspect. The Department of Health and Human Services (HHS) is the enforcing agency for HIPAA and the HITECH Act. The Health Insurance Portability and Accountability Act (HIPAA) priovides standards for the storage and transmission of sensitive patient information that by it's nature includes personally identifiable information. The HITECH Act provides the enforcement powers missing in HIPAA. Nowhere in this story is this agency mentioned.

    If the story is true, I feel no sympathy for this company if it did expose, inadvertently or otherwise, thousands of patient records and then appear to wallow in denial. The involvement of various Federal agencies is automatically triggered by law and is intended to protect the persons whose medical information and personally identifiable iformation was exposed. Again, if the story is true, they are the victims and that should be in the forefront of this story.

    • Paul Ducklin · 761 days ago

      Well, the FTC is certainly involved, whether or not HHS is involved too. (See the link to the FTC's complaint in which LabMD is explicitly named.)

      Does that make the story more or less suspect?

  5. W. H. Hayes · 761 days ago

    The Federal Trade Commission (FTC) has long handled breeches involving the exposure of consumer personally identifiable information (PII). If the story is true, Daugherty may feel he is being singled out for punishment, but the agency would only be doing its job. What you've described is probably only part of the story, if it is indeed real.

    No one should underrate the serious nature of medical information exposure. Health insurance fraud is big business for indentity thieves, and really hurts the elderly identity theft victims. It is grave enought that the FBI is actively involved in tracking down medical fraud criminals.

  6. Nigel · 761 days ago

    First, I can't tell from the information in this article (or the source article in Atlanta Business Journal), but it appears that the 1,718-page spreadsheet was unencrypted. It’s irresponsible for LabMD to handle personally identifiable information entrusted to them in such a careless way. In fact, it was just as irresponsible when Tiversa heisted the data five years ago as it is today.

    Second, Tiversa acquired the data as part of a federally funded research project (in collaboration with Dartmouth College). I suspect that the purpose of the research project was NOT to provide Tiversa with data for an extortion-based marketing strategy, with the FTC playing the role of the hired thug. So it’s not exactly a case of Tiversa innocently "finding a stash" of PII. It appears they took taxpayer money and went looking for it.

    Third, irrespective of how Tiversa acquired the data, they don't own it. What moral right do they have to do anything with it? It's not theirs. I suppose they're spinning themselves as "good citizens" by reporting LabMD to the feds. But it doesn't wash. They clearly had an ulterior motive. What's more, using the FTC to provide the coercive muscle (again, with taxpayers footing the bill) only compounds Tiversa's unethical behavior.

    Finally, FTC Commissioner J. Thomas Rosch (the lone dissenter) is apparently the only one who has any sense of propriety in this case. At least he recognizes that Tiversa "...has a financial interest in intentionally exposing and capturing sensitive files on computer networks..." The other clowns on the five-member FTC don't seem to be able to identify their own complicity in aiding and abetting Tiversa's attempt at extortion, apparently with the U.S. president’s approval. And they have the nerve to call it "government".

  7. clifford cuellar · 761 days ago

    I would lay most of the blame on Tiversa. Its true that LabMD is culpable for not encrypting the data before transmitting it (and why transmit using public methods?),
    Tiversa is guilty of:
    Downloading data that is not theirs (just trolling);
    Trying to extort LabMD instead of returning the data;
    When that failed, then reporting to the Feds in a "sour grapes" move;
    Pretending to have acted in good faith in reporting, although if the chronology above is even semi-accurate, it was only reported after the extortion attempt failed.

    I would throw the book at Tiversia, while propelrly punishing LabMD with restitution costs for any identity theft problems and a possible fine, then maybe two years of compliance audit, but not the ridiculous 20 years.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog