Government Oversight Committee Report May Change FTC Case Outcome

The course of an ongoing case, LabMD v. FTC, may be altered considerably as the result of a recently released report issued by the Committee on Oversight and Government Reform (OGR) that has been investigating the activities of Tiversa, Inc., a company the Federal Trade Commission (FTC) relied on heavily in its case against uropathology laboratory LabMD. OGR Chairman Darrell Issa sent a letter to Edith Ramirez, Chairwoman of the FTC concerning the Dec. 1, 2014 OGR report. In the letter, Issa informs Ramirez:
“The Committee has obtained documents and information indicating Tiversa failed to provide full and complete information about work it performed regarding the inadvertent leak of LabMD data on peer-to-peer computer networks. In fact, it appears that, in responding to an FTC subpoena issued on Sept. 30, 2013, Tiversa withheld responsive information that contradicted other information it did provide about the source and spread of the LabMD data, a billing spreadsheet file.” Background Briefly, this case concerns an FTC investigation of the security practices of LabMD, no longer operating allegedly as a result of the investigation and the subsequent FTC enforcement action. The investigation was primarily based on a LabMD computer file that contained protected health information (PHI) on over 9,000 people. Tiversa, a company that provides peer-to-peer (P2P) intelligence and security services, supposedly found the file on a P2P network. Tiversa provided the file to the FTC after it had informed LabMD that it found the file. Tiversa offered remediation services to help LabMD prevent future security issues. LabMD refused to contract with Tiversa.
Lawsuits ensued and the case went to court. After several twists and turns, the court proceedings were stayed because of an OGR inquiry into the relationship between Tiversa and the FTC. In an additional twist concerning the investigation of Tiversa, a former employee of Tiversa, Richard Wallace, scheduled to testify in the case, refused unless he received immunity from prosecution. We wrote about this case in the June 2014 issue of G2 Compliance Advisor. Eventually, Wallace got his immunity and the trial is scheduled to resume on March 3.
The OGR Report The main concerns for the OGR in the Dec. 1, 2014 report are the differences in the details of important information provided by Tiversa to the FTC and the OGR, such as the dates files were first retrieved, the IP addresses on which the LabMD file (known as the 1718 file) was found, and similar information. According to the report:

• Tiversa provided only “summary information” in response to a broad subpoena served by the FTC about its knowledge of the source and spread of the LabMD file containing the PHI.
• Tiversa withheld documents from the FTC it should have provided as a response to a September 2013 subpoena and these documents contradict Tiversa CEO Robert Boback’s account to the FTC.
• A forensic report created in June 2014 is the only report provided to the OGR that substantiates Boback’s claims.
• “Tiversa did not make a full and complete production of documents to this Committee. It is likely that Tiversa withheld additional documents from both this Committee and the FTC.”

Issa closed the letter to Ramirez with this comment: “In the Committee's estimation, the FTC should no longer consider Tiversa to be a cooperating witness. Should the FTC request any further documents from Tiversa, the Commission should take all possible steps to ensure that Tiversa does not withhold additional documents relevant to the proceeding.”   Analysis and Comment The underlying issue in this case, at the start, was whether the FTC has the authority under Section 5: Unfair or Deceptive Acts or Practices, to investigate and enforce security breach cases. For this reason alone, it is being closely watched by a number of companies, legal firms, and others. As reported previously, the enforcement actions taken by the FTC in these cases can be quite onerous.
If the FTC wins, laboratories and other health care companies which experience a breach face a sort of double jeopardy because they can be punished by the government agencies enforcing the Health Insurance Portability and Accountability Act violations as well as the FTC. Additionally, as previously reported, the FTC has given little data security guidance for providers to follow.
There may be other unanticipated legal consequences resulting from testimony yet to be received in the case, as well as the report of the investigation conducted by Issa’s committee. What happens to other FTC cases that have been based on information provided by Tiversa? The report calls Tiversa credibility into question in the LabMD case; so can it be relied on in other cases? Finally, is there any culpability for the FTC because it did not question information Tiversa provided even in the face of somewhat obvious problems with the information? Takeaway: As part of its security audits and reviews, laboratories and other companies should include a review of any public promise to protect consumer information and make sure the company is doing everything it says to protect such information.