Patient Data On Filesharing Service Provokes Legal Trouble

Android Security: 8 Signs Hackers Own Your Smartphone

In 2008, cyber-intelligence company Tiversa notified LabMD, a small Atlanta medical testing lab, that it had found a 1,700-page file from the lab containing sensitive patient information on a peer-to-peer network and offered its services to remediate the problem.

But Tiversa wouldn't reveal where the file was found or how it was discovered unless LabMD hired the company.

"This smelled of extortion," said LabMD president and CEO Michael J. Daugherty, and he refused to do business with Tiversa. So began a twisted and cautionary tale for small businesses about government requirements for protecting sensitive data.

The Federal Trade Commission obtained a copy of the stolen document from Tiversa and in August of this year filed an administrative complaint alleging the lab failed to secure patient data reasonably and lacked a comprehensive data security program. Daugherty calls this action regulatory overreach and chose to fight back, writing about his experience in a recently published book, "The Devil Inside the Beltway." In it, he accuses Tiversa and the FTC of conspiring in a shakedown.

Perhaps not surprisingly, these accusations resulted in federal lawsuit filed in September by Tiversa CEO Robert Boback alleging defamation. But the story is also about the challenges of using filesharing technology.

[What part does site design play in convincing people to sign up for healthcare? Read Health Insurance Exchanges Struggle To Charm Customers.]

The underlying problem is a vulnerability -- or a feature, depending on your point of view -- that can inadvertently expose private files to a filesharing network.

Peer-to-peer networks remove the distinction between client and server, giving other users direct access to files that have been downloaded and stored in a shared folder. The networks often are used to share music and other entertainment files, but the apps also can expose other data on your computer. According to a 2006 study by the US Patent and Trademark Office, if a downloaded file is moved out of the shared folder to a new one, that file can give most filesharing applications access to all the data in the new folder as well.

This risk was not widely understood in 2008, but that reportedly is what happened at LabMD, where a copy of the peer-to-peer app LimeWire was found on a company computer. Tiversa searches and copies files from peer-to-peer networks, selling its services to victims of this type of data leakage when it finds suspect material. It also works with law enforcement.

Daugherty says he is not convinced that his stolen file came from LimeWire, but when Tiversa's Boback testified before Congress about the problem in 2009, the FTC began investigating the issue with material obtained from Tiversa. LabMD fell under the FTC's microscope and Daugherty says he was bullied to accept an agreement that would have placed his company under FTC supervision for 20 years. When he refused, the FTC filed its complaint.

For its part, Tiversa denies that it collaborated with the FTC in any schemes and says it provided information about leaked files to the agency only under threat of subpoena and without compensation.

Daugherty is not convinced. "What is a private company doing downloading other peoples' files and holding them?" he said. "This is insanity."

Insane or not, the resolution of the issue remains years away. The FTC action now is in an administrative court, where Daugherty says he plans to continue contesting it despite what he said are poor chances of his prevailing. Only then can it proceed to a civil court. "We've got a good two more years here," he said.

The FTC declined to comment on Daugherty's allegations or the complaint against him beyond what has already been released. Although the complaint itself has not been made public because it contains confidential business information, the agency announced the complaint in an August 29 press release that quotes Jessica Rich, director of the FTC's Bureau of Consumer Protection. "The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users."

William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News.

Too many companies treat digital and mobile strategies as pet projects. Here are four ideas to shake up your company. Also in the Digital Disruption issue of InformationWeek: Six enduring truths about selecting enterprise software. (Free registration required.)