Back in July, I reported that LabMD had unsuccessfully attempted to sue Tiversa in Georgia for allegedly stealing its property. At issue was a file containing PHI on 1,718 patients that Tiversa had downloaded as part of a research project after the file was exposed via P2P software on LabMD’s system. In its 2009 press release on its research, Tiversa did not name LabMD, but the matter eventually came to the FTC’s attention, who opened an investigation and took LabMD to court when it failed to fully comply with an investigative demand. LabMD was ordered to comply, and in August, the FTC sued LabMD for failure to adequately protect consumer information. LabMD responded forcefully to the complaint in a press statement, alluding to Tiversa as “Internet trolls.” In other statements, they’ve described Tiversa in other unflattering terms.
Now it seems that Tiversa is suing LabMD. Erin McAuley reports:
A cyber-intelligence company and its CEO sued the author of the book “The Devil Inside the Beltway,” claiming it falsely accused them of assisting “abusive government shakedowns” through “government-funded data mining & surveillance.”
Tiversa Holding Corp. and its co-founder and CEO Robert Boback sued LabMD Inc. and its CEO/author Michael J. Daugherty, in Federal Court.
Daugherty’s book is slated for publication on Sept. 17, by (nonparty) Broadland Press. Advance material published on the Internet identifies Daugherty as the CEO of LabMD.
[…]
Boback and Tiversa claim the book defames them: “In his video ‘trailer’ for the book, available on Mr. Daugherty’s personal website, Mr. Daugherty highlights his position as LabMD’s president and CEO and Mr. Daugherty alleges that Tiversa is part of a ‘Government Funded Data Mining & Surveillance’ scheme that engages in ‘Psychological Warfare’ and helps to assist in ‘Abusive Government Shakedown[s].’ See www.michaeljdaugherty.com. More specifically, Mr. Daugherty alleges Tiversa is conducting ‘300 Million Searches per day’ for ‘Homeland Security’ and the ‘Federal Trade Commission.’
Read more on Courthouse News.
Seemingly lost in most of the legal wrangling is the fact that it seems that no one whose data were in the “1718 file” were notified of the P2P exposure under HIPAA because LabMD took the position that no breach (as defined by HIPAA in 2008) had occurred.
So is HHS investigating this at all? HHS has not yet responded to an email sent by PHIprivacy.net inquiring as to whether HHS had ever opened (or concluded) an investigation of this incident. This post will be updated when I receive a reply.
Update: An HHS spokesperson responded to my inquiry with the following statement:
OCR decided not to join FTC in their investigation of these p2p sharings and we did not independently receive complaints. As you note, this was pre-HITECH, so there was and is no obligation on LabMD with respect to our breach notification requirements — whether any exist under state law would be for the state to determine.
The Interim Final Breach Breach Notification Rule did not become effective until September 2009. So if the breach occurred in 2008, is its unlikely that a report was required.
I suspect you’re right, and I had made the same point in my July post about the incident pre-dating HITECH. But those data may now have been in a number of hands since HITECH went into effect, so what then? I would think that the PHI lost any HIPAA protection it might have had once it came into the FTC’s hands, but how many parties have had access to the data since September 2009, and should HHS be looking into this?
HHS responded to my inquiry. See the update at the bottom of the post. You were correct.
I would think that Tiversa’s counsel would have advised Mr. Boback that there’s little hope of winning a case claiming slander, libel or defamation, when the subject statements can be proven to be true.
It also seems a bit difficult to base a lawsuit upon statements in a book that hasn’t yet been published. I guess I’m just a stickler for details.