LabMD and the 1718 File
Michael Daugherty founded LabMD — a clinical and anatomic lab which conducted cancer screenings — in 1996 by. In nine years, the company accumulated 750,000 unique clients. One LabMD employee downloaded a peer to peer sharing program called LimeWire which left a file with the company’s clients’ Personally Identifiable Information (PII) open and vulnerable to all LimeWire users. A computer security company called Tiversa discovered the file while trolling such networks, looking for such vulnerabilities to use as sales pitches for its services.
The most important point of failure in this catastrophe was one employee who downloaded the program, either unaware of the policy against unauthorized software or ignoring it completely. Despite having an Information Technology (IT) team and an appropriate IT policy, LabMD did not employ software could have easily prevented all downloads of this popular program. Entrusted with so many customers’ PII, LabMD should have had better practices in place.
When the issue was brought to court, Daugherty initially cooperated with the Federal Trade Administration’s (FTC) settlement. However, when it came down to signing the paperwork, Daugherty learned this would all be a part of the public record. He was afraid of hurting LabMD’s future customer base and refused to sign. This was not the best decision in the end. LabMD was forced to end operations during its protracted legal battle with the FTC.
The case resulted in the FTC’s jurisdiction officially extending to the world of cybersecurity, based on its mandate to prevent “unfair or deceptive practices in or affecting commerce.” The FTC has interpreted this mandate broadly to adapt to new technology, but it will be left to the U.S. justice system to determine how far that mandate will extend.
Back in 1996, Michael Daugherty—a medical device salesman of 14 years—founded a company called LabMD. Daugherty served as the president and CEO of the company throughout its duration. LabMD was a clinical and anatomic lab that conducted cancer screening tests. By 2005, the Georgia-based lab acquired 750,000 unique patients nationwide.
Also in 2005, LabMD’s billing manager downloaded a program called LimeWire—a free peer-to-peer (P2P) sharing network—onto her work computer. Her purpose for the download was to acquire personal files, such as music and movies. The billing manager designated her My Documents folder as one which LimeWire could use to save downloads. This setting gave LimeWire and its users access to anything within that folder on her computer. (In, 2016)
There was one file in that folder that contained personally identifiable information (PII.) Specifically, it housed a folder with the 1718-page document containing the addresses, names, birthdays, and social security numbers of all 750,000 patients. If the file was ever discovered by any of the millions of LimeWire users, it would have exposed the company to a substantial data breach. (In, 2016)
In 2008, Tiversa Holding Company (Tiversa), a computer security consulting company, had been combing through various P2P networks looking for just such an opportunity. They found many instances of files just like the “1718 file” (as the LabMD patient database was dubbed in later court proceedings). Tiversa did this, because the company was finding these files and then allegedly blackmailing corporations into paying for their security services.
LabMD refused Tiversa’s services, and Tiversa reported the vulnerability to the Federal Trade Administration (FTC.) In spite of the ethical implications of Tiversa’s practices, the FTC launched an investigation. The ensuring legal battle crippled LabMD with legal fees, eventually causing the company to have to close its doors. The company is still fighting this legal battle. (Curious, 2014)
This paper will explore the events which lead to the demise of LabMD.
IT Policy is not IT Practice
Both the genesis and duration of LabMD's ordeal were exacerbated by the company's internal data protection practices, or lack thereof. The company relied on cost-free company policies to safeguard its critical data infrastructure rather than enterprise-level management software. When one of those policies was inevitably violated, the company was immediately thrust into a defensive posture from which it never recovered.
According to a sympathetic summary of LabMD's collapse, published by Bloomberg in 2016, the company did have an information technology team and a company-wide computer use policy. When Tiversa initially contacted LabMD about its leaked database in 2008, Bloomberg portrays the IT team as springing into action and closing the leak. “LabMD’s four-person IT team found the problem almost immediately ... The billing manager’s computer was the only
machine at LabMD with LimeWire—having it was a violation of company policy—and the tech staff removed it,” wrote author Dune Lawrence. (Lawrence, 2016)
However, an account published by Russell Brandom in The Verge in 2015, paints a
murkier picture of the IT team's response. “Unsure of which employee was using the service, LabMD had trouble getting the file off the network,” Brandom wrote. (Brandom, 2015)
LabMD owner Michael Daugherty may have improved his talking points in the year between The Verge and Bloomberg's stories. However, the discrepancy is largely irrelevant. LabMD relied on the human beings in its employ to not break the rules. One of them broke the rules and caused a leak, leaving the IT team to uselessly point fingers.
As a medical testing provider, LabMD was governed by Title II of the Health Insurance Portability and Accountability Act of 1996. The law required administrative, physical, and technological safeguards of computer systems handling patient data. The law had been in effect for more than a decade at the time of the 2008 LabMD breach, and the federal rule-making defining compliance with the law had been in existence for five years. HIPAA was not new, and HIPAA was not undefined. (Department of Health and Human Services, 2013)
LabMD had access to the software required for enterprise asset management. The Microsoft Windows NT operating system had been commercially available since in 1993. (Zachary, 2009) However, enterprise-level operating system controls often require experienced IT professionals to properly configure and maintain them. And enterprise software commands higher prices than their comparable consumer versions. The fact that a LabMD employee was capable of installing unauthorized software on her asset in violation of company policy exposes the fact that LabMD had not implemented enterprise asset control, thus not taking necessary technological precautions to protect its data under HIPAA rules.
LabMD's failure to institute more robust data security practices became the bases for the FTC’s 2013 administrative complaint against the company, the FTC directly alleged that LabMD had not installed enterprise management software and accused it of adopting an inexpensive approach to data management in other ways:
Among other things, [LabMD] … did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities on its networks … did not use adequate measures to prevent employees from accessing personal information not needed to perform their jobs … did not require employees, or other users with remote access to the networks, to use common authentication-related security measures, such as periodically changing passwords, prohibiting the use of the same password across applications and programs, or using two-factor authentication … did not maintain and update operating systems of computers and other devices on its networks. (Ramirez, 2013)
The factors that led to LabMD’s irreversible crisis of bankruptcy and data breach were lack of awareness about cyber-attacks, poor team decisions on mitigating security threats, and an inability to comply with the FTC rules. The company’s unreasonable data security practices resulted in it being accused of an unfair trade practice under Section 5 of the Federal Trade Commission Act. (Federal Trade Commission, 2013)
LabMD lacked the basic precautions to protect sensitive consumer information, such as an intrusion detection system, firewall traffic monitoring, employee security training, and detection of consumer data in their system. (FTC, 2013) LabMD’s billing manager downloaded LimeWire Workstation on a computer that contained sensitive files without considering any security threats to the company. As the result, 750,000 of its patients’ confidential information including names, dates of birth, SSNs, CPT codes, and health insurance policy numbers were compromised and discovered by Tiversa. (Health Law Offices, n.d.)
The company should have had its security team review all open source software before an employee was approved to download it. This could have ensured that there was no vulnerability found with LimeWire. Lack of an open source approval process and awareness of security threat allowed hackers access to control the company’s data.
The company also lacked employee security training, such as guidelines on appropriate internet use. LabMD should have completed training on the appropriate usage of the Internet. The training should have informed employees not to view or upload materials that could cause security threats. (FCC, n.d.)
Even though LabMD’s IT team found the problem immediately when Tiversa contacted them about the data leak and uninstalled the LimeWire from the employee’s machine, the data was already distributed, and the IT team was not able to retrieve it. Tiversa offered to fix the problem for a fee. Daugherty, who believed that Tiversa overstated the threat to sell its services to LabMD, was much more focused in blaming Tiversa instead of focusing on the solution to minimize the threat and retrieving the compromised patient data. LabMD’s CEO closed the communication with Tiversa and directed the company to LabMD’s lawyer. This urged Tiversa to report the case to the FTC, which exacerbated the situation. (Lawrence, 2016) Knowing the patients’ information was at risk, Daugherty could have made a deal with Tiversa or another company before the issue spiraled out of his control. The company had no standing incident response plan in case of a cyber-attack.
When the FTC found LabMD guilty for failure to secure the data; they ordered the company to implement a comprehensive information security program and have that program evaluated every two years by an independent, certified security professional for the next 20 years. They also required the company to inform their customers about the data breach. (FTC) LabMD’s decision to appeal instead of complying with the FTC’s orders, led the company to bankruptcy from accrued to legal fees. It appears that the CEO was much more interested in appealing and proving himself right than assessing the situation by listening his subordinates. He was not inclusive in decision making with subordinates. As Michael Daugherty stated, “Those employees blamed me. It’s like, ‘why don’t you just settle with them? Why are you being so stubborn?’”(Lawrence, 2016) According to Lawrence, Chris Hoofnagle, a UC Berkeley professor, stated whether the LabMD issue resulted in deception or unfairness, the use of P2P software on a computer used for medical record could still be unreasonable for a medical service provider. (Brandom, 2015)
Looking at the company’s lack of security protection, mishandling sensitive information, and poor decision making on security threats, it is likely that LabMd is responsible for the bankruptcy. Daugherty could have avoided the bankruptcy by admitting his company’s unreasonable data security practice and complying with FTC’s orders on how to protect personal information, such as encrypting sensitive information, checking software vendors’ websites regularly, using a firewall, and implementing a breach response plan. (Schencker, 2015)
After Triversa notified LabMD that their patient files were compromised, LabMD alleged that Triversa infiltrated into their network and purposely caused the breach. They also alleged that Triversa provided false information to the FTC. LabMD implied that Triversa’s actions proved that they planned to report LabMD if the company declined to contract Triversa to correct the breach.
Taking the ethical and easiest approach to a solution, Daugherty initially thought working with the FTC and not allowing Triversa to extort paid services from them would be the swiftest path to a favorable solution. (Brandom, 2015)
Many of the employees believed that, Daugheryy acting on behalf of LabMD, should have settled with the FTC. LabMD would have been required to sign a consent decree. Although signing a consent decree is not an admission of guilt, the FTC publishes the contents of the consent decrees. Daugherty believed that if LabMD agreed to sign the decree, their customer base would believe that the company had a weak data loss prevention program and would elect not to do business with him. This could ultimately lead to a loss in their business revenues. (Brandom, 2015)vDaugherty decided to contest the FTC, and the decision to fight ultimately led to the demise of LabMD.
LabMD is no longer an operational business. It has no personnel and no revenue. It now has less than $5,000 cash on hand. It reported a loss of $310,243 last fiscal year, and has a pending $1 million judgment against it on account of its early termination of its lease. LabMD cannot even afford legal representation, and is relying on pro bono services for this appeal. (Lawrence,2016)
In January 2014, LabMD ceased operation and closed its doors. The following April, Daugherty received news from a Triversa employee, Richard Wallace, who said he was instructed by his superiors to create evidence of web addresses where the LabMD file had supposedly been found. This testimony became evidence for LabMD in its legal contest with the FTC.
Although LabMD is now defunct and his employees have been laid off, Daugherty and his pro bono attorneys continued the company’s fight against the FTC in July 2016 in the U.S. Court of Appeals for the Eleventh Circuit. LabMD’s lawyer argued that, “the FTC demolished a small medical testing company by exceeding its authority.” Any legal victory for LabMD will be moot at this point.
During the investigation, Tiversa was uncooperative and drew attention of the House Oversight Committee, which was unimpressed by the Tiversa's tactics both before and after the FTC's investigation of LabMD. (Lawrence, 2016)
The FTC now has new mandate to regulate cybersecurity. Section 5 of the FTC Act, dating back to 1914, prohibits, “unfair or deceptive business practices in or effecting commerce.” Not surprisingly, the act makes no mention cybersecurity. However, the FTC has long maintained that Congress intended for the word “unfair” to be interpreted broadly and flexibly to allow the agency to protect consumers as technology changes. Most early consumer privacy cases brought by the FTC came under the “deception” prong of Section 5. They targeted companies that gave false data security or privacy representations to their customers through websites or other applications. In 2002, the FTC started asserting claims based on “unfair” cybersecurity practices. For the next 10 years, all actions brought by the FTC resulted in negotiated consent agreements, with no company testing the FTC’s statutory authority to regulate cybersecurity. While some companies questioned the FTC’s authority, they all settled rather than engage in an embarrassing legal battle. That changed when the FTC sued Wyndham Worldwide Corp. in 2012. (William, 2017) In this case,
“The FTC’s prophylactic powers, moreover, may be limited by the Eleventh Circuit’s opinion. Whereas the FTC found authority to pursue companies whose poor security infrastructure makes consumers vulnerable — even if they have not yet suffered injury — the court now requires something more. The opinion does not require the FTC to wait for a high probability of consumer harm, but at the same time prevents the FTC from pursuing cases where the risk of exposure is low even if the harm would be severe (i.e. in the case of poor security for highly sensitive data). It therefore remains unclear how much risk consumers must face before the FTC can pursue companies with inadequate security.” (Heimes, 2016)
This is a problem which could have been easily avoided. LabMD should have had sufficient computer security measures in place. However, LabMD’s demise could be seen as a bit of a blessing in disguise. While the company did suffer, the greater information technology community received clearer guidance for FTC regulations. These regulations may seem onerous to some in the industry, but they encourage extra security so something like the LabMD case does not have to happen again.
Barber, R. (2016, December 30). LabMD challenges scope of FTC's cyber authority
Retrieved March 4, 2017, from http://www.benefitspro.com/2016/12/30/labmd-
Brandom, R. (2015, May 19). Did this cybersecurity firm use a data breach for extortion? Retrieved March 4, 2017, from http://www.theverge.com/2015/5/19/8622631/labmd-data-breach-tiversa-security-ftc-lawsuit
Denny, William R. "Cybersecurity as an Unfair Practice: FTC Enforcement under Section 5 of
the FTC Act." Business Law Today. American Bar Association, 2017. Web. 1 Mar. 2017
Department of Health and Human Services. (2013, July 26). Summary of the HIPAA security rule. Retrieved March 4, 2017, from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
Federal Trade Commission. (2013, August 29). FTC files complaint against LabMD for failing to protect consumers' privacy. Retrieved from https://www.ftc.gov/news-events/press-releases/2013/08/ftc-files-complaint-against-labmd-failing-protect-consumers
Federal Trade Commission. (2016, July 29). Commission finds LabMD liable for unfair data security practices. Retrieved from https://www.ftc.gov/news-events/press-releases/2016/07/commission-finds-labmd-liable-unfair-data-security-practices
Health Law Offices. (n.d). The LabMD Case: What Does it Mean for HIPAA Covered Entities?.Retrieved from http://www.healthlawoffices.com/the-labmd-case-what-does-it-mean-for-hipaa-covered-entities/
Heimes, Rita. "US Appeals Court Narrows FTC's 'unfair' Standard in LabMD Case." US Appeals
Court Narrows FTC's 'unfair' Standard in LabMD Case. International Association of Privacy Professionals, 16 Nov. 2016. Web. 01 Mar. 2017.
HIPAA Journal. (2015, Nov 22). FTC data breach case against LabMD dismissed. Retrieved from http://www.hipaajournal.com/ftc-data-breach-case-against-labmd-dismissed-8187/
IN THE UNITED STATES COURT OF APPEALS FOR THE ELEVENTH CIRCUIT. (2016,
October 11). Retrieved March 03, 2017, from
Khaire, Teresa AmabileMukti. “Creativity and the Role of the Leader.” Harvard Business
Review. Harvard Business Review, 31 July 2014. Web. 09 Mar. 2017.
Lawrence, D. (2016, April 26). A leak wounded this company. Fighting the feds finished it off.
Retrieved March 4, 2017, from https://www.bloomberg.com/features/2016-labmd-ftc-
Lesile, Jean Brittain, and Kim Palmisano. The Leadership Challenge. The Art of Educational
Leadership: Balancing Performance and Accountability (n.d.): 1-28. Center for Creative
Leadership. CCL, 2014. Web.
Ramirez, Edith, Brill, Julie, Ohlhausen, Maureen K. & Wright, Joshua D. (2013, Aug. 29). In the
Matter of LabMD, Inc., a corporation. Retrieved from FTC.gov.
Schencker, L. (2015, August 24). Federal appeals court affirms FTC's power to regulate cybersecurity. Retrieved from http://www.modernhealthcare.com/article/20150824/NEWS/150829943
Section 4. Building Teams: Broadening the Base for Leadership. Chapter 13. Orienting Ideas
in Leadership| Section 4. Building Teams: Broadening the Base for Leadership| Main
Section| Community Tool Box. Community Tool Box, 2016. Web. 09 Mar. 2017.
The Curious Case of LabMD: New Developments in the “Other” FTC Data-Security Case.
(2014, August 11). Retrieved March 03, 2017, from https://www.mayerbrown.com/The-
Zachary, G. (2009) Showstopper!: The breakneck race to create Windows NT and the next generation at Microsoft. New York: E-Rights/E-Reads. ISBN 0-7592-8578-0.