The story of what happened to Michael Daugherty and his company, LabMD, has a lot of twists and turns and bad guys pretending to be good guys – and even good guys acting in a pretty overbearing way. It’s resulted in accusations of unethical behavior and intimations of extortion by a cyber investigation company and Daugherty hoping to eventually sue the Federal Trade Commission. Beyond all of that, the bottom line is that because of a security mistake made by a single employee,
the Atlanta-based blood, urine and tissue-testing company had to spend hundreds of thousands of dollars in system and software upgrades, hundreds of thousands more on legal fees, and still ended up being forced out of business. Dozens of employees lost their jobs, and lives were turned upside down.
CAN A SMALL DATA BREACH OR HIPAA VIOLATION CLOSE YOUR BUSINESS?
LabMD’s problems begin in May of 2008 when the company was contacted by a cyber investigation company indicating that they had access to company files, including patient information. As a laboratory that provides testing services to urologists, LabMD was required to be fully compliant with HIPAA, the Health Insurance Portability and Accountability Act, and failure to protect patient information could lead to disastrous results. The company swiftly conducted an internal investigation that identified the source of the problem: a billing department manager had used the file-sharing software LimeWire to download music to her office computer. In doing so had left the company open to sharing via the service’s peer-to-peer network. Her actions not only violated company policy but left the personal information of thousands of patients vulnerable. Average costs of a data breach.
LabMD’s I.T. department quickly addressed the problem. They scrubbed the offending software off of their system, then ran their own extensive and lengthy external search to determine for themselves whether the information had been compromised, and found no evidence that it had been.
Unfortunately, that is not where the story ends. The cyber investigation company, Tiversa, continued to contact LabMD about utilizing their costly peer-to-peer network monitoring service. They indicated that they felt compelled to report the file that they had found to the Federal Trade Commission (FTC). LabMD chose not to utilize Tiversa, and months later received a letter from the FTC indicating that an inquiry had been initiated into a file found on a peer-to-peer network.
The FTC is tasked with both promoting competition and protecting consumers. This responsibility has come to include information and data security, and in most cases, companies that are investigated choose to settle the cases against them rather than engaging in costly litigation. LabMD chose not to settle, and the end result was that they spent the next few years facing hundreds of questions to answer under oath, submitting thousands of pages of documents, called to dozens of face-to-face meetings and interviews with FTC lawyers, and having employees required to provide hours of testimony. The company spent a small fortune on system and software upgrades and on legal fees, all the while trying to prove that it had been one among many victims of a scenario in which the FTC had relied upon questionable information from Tiversa. The problem was so widespread that the House Oversight Committee investigated, and ended up issuing a staff report on the company based on whistleblower testimony. The report concluded that the FTC had abandoned their own mission of “good government” by relying on Tiversa, that they had used the company to “obtain information validating its regulatory authority” in exchange for giving the company “actionable information that it exploited for monetary gain.”
The LabMD case is continuing in court to this day, but the fact that it targets FTC and vendor overreach overlook the fact that Daugherty had to close his company down in January of 2014 as a result of a failure to provide and follow proper security. The financial and legal strain, the closure of the company, the loss of jobs would never have arisen had the company and its employees acted responsibly. In LabMD’s case, Tiversa employees had been tasked to find this kid of exploitable mistake, and there are many other unethical actors who are looking to take advantage of similar mistakes such as failure to properly destroy hard drives or digital media. It is incumbent upon companies that hold confidential information such as Social Security numbers and patient medical and financial information to do all of the appropriate internal training and self-monitoring required by law, as well as to take all appropriate action to ensure that they are complying with data privacy laws.