I sue you, you sue me
We both sue too easily
Too easily to let it show
I sue you and that’s all I know.
— Lyrics never written by Jimmy Webb nor ever sung by Art Garfunkel
On March 3, the administrative hearing in FTC v. LabMD will resume with former Tiversa employee Rick Wallace scheduled to take the stand under immunity. Wallace is expected to testify that information and testimony provided by Tiversa CEO Robert Boback was inaccurate, at best. I expect the FTC will try to discredit Wallace, using some of the information Tiversa submitted to the administrative law judge concerning Wallace’s post-termination activity and criminal record. I wouldn’t be surprised if things get ugly if Wallace testifies that he fabricated data about where the LabMD file was found, and that he did so at Tiversa’s request.
The administrative case is one of only a number of cases that have been filed as a result of the FTC complaint against LabMD. Here’s a brief recap of what’s going on in the various cases:
FTC v. LabMD
As noted above, Wallace will testify on March 3. During a two-hour recess that day, the FTC will be able to depose Wallace on a few relevant points. The FTC had declined to depose Wallace when they had the opportunity, but after they closed their case – and when the nature of his anticipated testimony under immunity became clear to them – they sought permission to depose him. Judge Chappell denied in part and granted in part the FTC’s motion.
For those less familiar with this case: when the FTC initiated its investigation of LabMD, it was originally over the exposure of information (the “1718 File”) on a P2P network. The FTC admitted that it did not investigate whether any misuse of the information had occurred, and in filings, has taken the position that the exposure/availability of the information to download is a “cognizable injury:”
Respondent stipulated that the 1718 File, containing sensitive personal information on thousands of consumers, was available for sharing on a P2P network. JX0001, Facts 10-11. As Complaint Counsel previously explained, even if found only at LabMD, the “1718 File’s presence on a P2P network would remain a cognizable injury, if for no other reason than that others had access to it.” Opp. to Mot. for Sanctions (Aug. 25, 2014) at 7. [COMPLAINT COUNSEL’S OPPOSITION TO RESPONDENT’S MOTION TO ADMIT RX-543 – RX-548, January 2, 2015].
As noted previously on PHIprivacy.net, the incident was not even a reportable breach under HIPAA in 2008, and there’s never been any evidence of misuse of information or actual harm to individuals, but the FTC seemed to think this case was worth pursuing.
Where the file was found, how it was found, and whether the FTC independently confirmed any of Tiversa’s claims about where and how the file was found are issues that LabMD has raised in its defense, but there are many who believe that any acknowledgement that the file was available on a file-sharing network means it’s “game over” for LabMD.
According to a statement provided today to PHIprivacy.net by Robert Boback, by November 2012, the 1718 File had been found on 7 (seven) IP addresses, and these IP addresses had been documented in an email from Wallace. Boback says that prior to his testimony in the administrative case, he asked Wallace about the file and was reminded about four of the IP addresses, but not the other three. According to him, then, there is documentation showing that the file had been found in a number of locations. LabMD has challenged that claim, but assuming, for now, that Boback’s statement is accurate, did FTC verify this independently? And if they didn’t, is that cause for concern? Should a federal agency be basing a prosecution or administrative proceeding on information provided by a third party that it hasn’t verified independently? If FTC did any independent investigation on the 1718 File’s exposure, it is not clear in the administrative hearing transcripts. In a related case, they acknowledged that they did not attempt to determine if any of the patients whose data were exposed had experienced any harm from the exposure or if there was any misuse of any of the information.
Of note, during the course of its investigation, the FTC became aware of a second incident where information on paper records was found in the possession of criminals in California. That incident is also part of the FTC’s complaint, although again, it appears that the FTC did not conduct any independent investigation and relied on others’ reports (in this case, law enforcement).
LabMD v. FTC
To date, LabMD has been unsuccessful in getting the federal courts to dismiss the FTC’s administrative complaint, with the courts generally holding that they do not have the authority to consider the challenge to the FTC’s data security enforcement authority until after the administrative case has run its course. This week, the 11th Circuit affirmed the district court’s dismissal of the challenge for lack of subject-matter jurisdiction.
Tiversa Holding Corp. and Robert J. Boback v. LabMD, Michael J. Daugherty, Richard Edward Wallace, Cause of Action Institute
Tiversa and its CEO Robert Boback are suing LabMD, its CEO, their former employee Rick Wallace, and LabMD’s counsel in state court in Allegheny County, Pennsylvania.
The lawsuit was filed October 31, 2014, and includes counts of Defamation, Slander per se, Commercial Disparagement/Trade Libel, Tortious Interference with Contractual Relations (two counts), Civil Conspiracy, and Breach of Contract (Wallace). The bulk of the defamation claims are based on Daugherty’s book, The Devil Inside the Beltway, while the slander count deals with statements Daugherty has made in media interviews.
Tiversa is represented by Jarrod D. Shaw and Lucas Liben of Reed Smith LLP. Docket GD-14-016497.
The suit was originally filed in federal court, but was withdrawn there and filed in state court.
LabMD v. Tiversa Holding Corp., Robert J. Boback, M. Eric Johnson, Does 1-10.
LabMD is suing Tiversa, its CEO, a Dartmouth researcher who published an article repeating claims about LabMD’s 1718 file, and unnamed others for Conversion, Defamation per se, Tortious Interference with Business Relations, Fraud, Negligent Misrepresentation, Civil Conspiracy, Violation of Racketeer Influenced and Corrupt Organizations Act (“RICO”) 18 U.S.C. § 1962(c), 18 U.S.C. § 1962(d), Punitive and Treble Damages, Attorneys’ Fees and Expenses of Litigation.
LabMD is represented by John R. Gotaskie, Jr. of Fox Rothchild and Michael Eric Ross of Taylor English Duma LLP.
The case was filed yesterday in federal court, Western District of Pennsylvania. Docket 2:15-cv-00092
In response to this lawsuit, Tiversa CEO Robert Boback issued the following statement to PHIprivacy.net:
This is LabMD’s desperate attempt to distract people (yet again) from the indisputable fact, which Daugherty admits under oath, that LabMD exposed thousands of patient’s sensitive information. LabMD is also trying to save face after Tiversa exposed LabMD’s conduct in a recently filed case in Pennsylvania. Rather than take responsibility for its actions – exposing patient information on a peer to peer network – LabMD has elected to file a frivolous lawsuit. Tiversa will vigorously defend this lawsuit and will take the necessary steps to hold LabMD accountable for pursuing baseless litigation. LabMD conveniently leaves out several important facts in the filings and misrepresents other as fact in their aforementioned efforts. We have recently learned of significant evidence from current and former federal, state and local law enforcement officials that has shed considerable light on this case. In light of this new revelation, we look forward to the “testimony” of Mr. Wallace in March.
There is nothing new that we haven’t heard before from LabMD. They interestingly make some very serious criminal allegations in the civil suit, yet I only wish that they would make those same criminal allegations to law enforcement…..which to my understanding, they have not. If someone really believed that those criminal acts took place, they would call the police or the FBI and would file a CRIMINAL complaint. A criminal complaint would open them up to prosecution however, if, and when, it turns out to be false. I’m sure that they know this and this has clearly factored into their not doing so. An important point to take note of is that no company or individual has EVER filed a criminal complaint about Tiversa in our entire history. This undeniable fact, that they clearly omit, seems fairly significant.
Asked about Boback’s comment about the lack of any criminal complaint, Michael Daugherty responded:
“I am not at liberty to comment on anything regarding criminal investigations…even in response to Tiversa’s factual ignorance.”
How Much Evidence Does FTC Need to Find a Violation of Section 5?
Once upon a time, there was a file with protected health information. It seems to have wound up exposed to file-sharing due to an employee not following policy. Is that enough to warrant a full FTC investigation and complaint? Did it matter to them in deciding whether to pursue a complaint whether the file was actually downloaded by others? And if that did matter, should the FTC have independently verified any reports it received from Tiversa about where the file was found? And should they have at least attempted to determine if the information had ever been misused or resulted in significant harm or injury to the patients?
If any entity makes an error that exposes PII or PHI and that is somehow a “cognizable injury,” does that mean everyone is pretty much at risk of an FTC investigation and complaint? Given its limited resources, shouldn’t FTC enforcement actions be restricted to more serious situations? Could any of us be found totally compliant with the FTC’s data security standards – standards that had not even been clearly defined at the time of the incident?
There are so many serious breaches out there that I wish the FTC would focus on, such as the DiGiallorenzo breach covered previously on this blog or the MCCCD breach covered on DataBreaches.net. Why have they spent so much time and so many resources on this case? LabMD folded under the weight of the investigation costs, the insurance problems the investigation caused, and the litigation that resulted when they refused to settle via a consent order that would have imposed onerous conditions. Isn’t that enough already?