Patient Data On Filesharing Service Provokes Legal Trouble - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

Patient Data On Filesharing Service Provokes Legal Trouble

Medical file reportedly found on a peer-to-peer filesharing network leads to an FTC complaint, a federal lawsuit, and a book claiming regulatory overreach.

Android Security: 8 Signs Hackers Own Your Smartphone
Android Security: 8 Signs Hackers Own Your Smartphone
(click image for larger view)

In 2008, cyber-intelligence company Tiversa notified LabMD, a small Atlanta medical testing lab, that it had found a 1,700-page file from the lab containing sensitive patient information on a peer-to-peer network and offered its services to remediate the problem.

But Tiversa wouldn't reveal where the file was found or how it was discovered unless LabMD hired the company.

"This smelled of extortion," said LabMD president and CEO Michael J. Daugherty, and he refused to do business with Tiversa. So began a twisted and cautionary tale for small businesses about government requirements for protecting sensitive data.

The Federal Trade Commission obtained a copy of the stolen document from Tiversa and in August of this year filed an administrative complaint alleging the lab failed to secure patient data reasonably and lacked a comprehensive data security program. Daugherty calls this action regulatory overreach and chose to fight back, writing about his experience in a recently published book, "The Devil Inside the Beltway." In it, he accuses Tiversa and the FTC of conspiring in a shakedown.

Perhaps not surprisingly, these accusations resulted in federal lawsuit filed in September by Tiversa CEO Robert Boback alleging defamation. But the story is also about the challenges of using filesharing technology.

[What part does site design play in convincing people to sign up for healthcare? Read Health Insurance Exchanges Struggle To Charm Customers.]

The underlying problem is a vulnerability -- or a feature, depending on your point of view -- that can inadvertently expose private files to a filesharing network.

Peer-to-peer networks remove the distinction between client and server, giving other users direct access to files that have been downloaded and stored in a shared folder. The networks often are used to share music and other entertainment files, but the apps also can expose other data on your computer. According to a 2006 study by the US Patent and Trademark Office, if a downloaded file is moved out of the shared folder to a new one, that file can give most filesharing applications access to all the data in the new folder as well.

This risk was not widely understood in 2008, but that reportedly is what happened at LabMD, where a copy of the peer-to-peer app LimeWire was found on a company computer. Tiversa searches and copies files from peer-to-peer networks, selling its services to victims of this type of data leakage when it finds suspect material. It also works with law enforcement.

Michael J. Daugherty
Michael J. Daugherty

Daugherty says he is not convinced that his stolen file came from LimeWire, but when Tiversa's Boback testified before Congress about the problem in 2009, the FTC began investigating the issue with material obtained from Tiversa. LabMD fell under the FTC's microscope and Daugherty says he was bullied to accept an agreement that would have placed his company under FTC supervision for 20 years. When he refused, the FTC filed its complaint.

For its part, Tiversa denies that it collaborated with the FTC in any schemes and says it provided information about leaked files to the agency only under threat of subpoena and without compensation.

Daugherty is not convinced. "What is a private company doing downloading other peoples' files and holding them?" he said. "This is insanity."

Insane or not, the resolution of the issue remains years away. The FTC action now is in an administrative court, where Daugherty says he plans to continue contesting it despite what he said are poor chances of his prevailing. Only then can it proceed to a civil court. "We've got a good two more years here," he said.

The FTC declined to comment on Daugherty's allegations or the complaint against him beyond what has already been released. Although the complaint itself has not been made public because it contains confidential business information, the agency announced the complaint in an August 29 press release that quotes Jessica Rich, director of the FTC's Bureau of Consumer Protection. "The FTC is committed to ensuring that firms who collect that data use reasonable and appropriate security measures to prevent it from falling into the hands of identity thieves and other unauthorized users."

William Jackson is a technology writer based in Washington, D.C. He has been a journalist for more than 35 years, most recently covering the $80 billion federal government IT sector for Government Computer News.

Too many companies treat digital and mobile strategies as pet projects. Here are four ideas to shake up your company. Also in the Digital Disruption issue of InformationWeek: Six enduring truths about selecting enterprise software. (Free registration required.)


We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
David F. Carr
David F. Carr,
User Rank: Author
12/23/2013 | 4:29:43 PM
Specific to LimeWire?
Is this really a categorical issue with file sharing software, or was it a vulnerability in this specific file sharing app? Should users of Box or Dropbox be worried about the same thing?
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll