Government // Cybersecurity
News
12/23/2013
10:29 AM
50%
50%

Patient Data On Filesharing Service Provokes Legal Trouble

Medical file reportedly found on a peer-to-peer filesharing network leads to an FTC complaint, a federal lawsuit, and a book claiming regulatory overreach.

Android Security: 8 Signs Hackers Own Your Smartphone
Android Security: 8 Signs Hackers Own Your Smartphone
(click image for larger view)

In 2008, cyber-intelligence company Tiversa notified LabMD, a small Atlanta medical testing lab, that it had found a 1,700-page file from the lab containing sensitive patient information on a peer-to-peer network and offered its services to remediate the problem.

But Tiversa wouldn't reveal where the file was found or how it was discovered unless LabMD hired the company.

"This smelled of extortion," said LabMD president and CEO Michael J. Daugherty, and he refused to do business with Tiversa. So began a twisted and cautionary tale for small businesses about government requirements for protecting sensitive data.

The Federal Trade Commission obtained a copy of the stolen document from Tiversa and in August of this year filed an administrative complaint alleging the lab failed to secure patient data reasonably and lacked a comprehensive data security program. Daugherty calls this action regulatory overreach and chose to fight back, writing about his experience in a recently published book, "The Devil Inside the Beltway." In it, he accuses Tiversa and the FTC of conspiring in a shakedown.

Perhaps not surprisingly, these accusations resulted in federal lawsuit filed in September by Tiversa CEO Robert Boback alleging defamation. But the story is also about the challenges of using filesharing technology.

[What part does site design play in convincing people to sign up for healthcare? Read Health Insurance Exchanges Struggle To Charm Customers.]

The underlying problem is a vulnerability -- or a feature, depending on your point of view -- that can inadvertently expose private files to a filesharing network.

Peer-to-peer networks remove the distinction between client and server, giving other users direct access to files that have been downloaded and stored in a shared folder. The networks often are used to share music and other entertainment files, but the apps also can expose other data on your computer. According to a 2006 study by the US Patent and Trademark Office, if a downloaded file is moved out of the shared folder to a new one, that file can give most filesharing applications access to all the data in the new folder as well.

This risk was not widely understood in 2008, but that reportedly is what happened at LabMD, where a copy of the peer-to-peer app LimeWire was found on a company computer. Tiversa searches and copies files from peer-to-peer networks, selling its services to victims of this type of data leakage when it finds suspect material. It also works with law enforcement.

Michael J. Daugherty
Michael J. Daugherty

Daugherty says he is not convinced that his stolen file came from LimeWire, but when Tiversa's Boback testified before Congress about the problem in 2009, the FTC began investigating the issue with material obtained from Tiversa. LabMD fell under the FTC's microscope and Daugherty says he was bullied to accept an agreement that would have placed his company under FTC supervision for 20 years. When he refused, the FTC filed its complaint.

For its part, Tiversa denies that it collaborated with the FTC in any schemes and says it provided information about leaked files to the agency only under threat of subpoena and without compensation.

Daugherty is not convinced. "What is a private company doing downloading other peoples' files and holding them?" he said. "This is insanity."

Insane or not, the resolution of the issue remains years away. The FTC action now is in an administrative court, where Daugherty says he plans to continue contesting it despite what he said are poor chances of his prevailing. Only then can it proceed to a civil court. "We've got a good two more years here," he said.

The FTC declined to comment on Daugherty's allegations or the complaint against him beyond what has already been released. Although the complaint itself has not been made public because it contains confidential business information, the agency announced the complaint in an August 29 press release that quotes Jessica Rich, director of the FTC's Bureau of Consumer Protection. "The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users."

William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News.

Too many companies treat digital and mobile strategies as pet projects. Here are four ideas to shake up your company. Also in the Digital Disruption issue of InformationWeek: Six enduring truths about selecting enterprise software. (Free registration required.)

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
asksqn
50%
50%
asksqn,
User Rank: Ninja
2/8/2014 | 6:14:54 PM
It's the dumb & dumberer superfecta of affirmative defense!
Boback files suit against the FTC and his cause of action is "shakedown"?  LOL I've gone to law school and I don't ever recall seeing that listed in any serious complaint.  One thing is for sure, Boback's line of offense certainly brings the concept of an affirmative defense to an art level -it is very creative and very obtuse at the same time.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
12/23/2013 | 4:29:43 PM
Specific to LimeWire?
Is this really a categorical issue with file sharing software, or was it a vulnerability in this specific file sharing app? Should users of Box or Dropbox be worried about the same thing?
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.