Legal Issues

by Tim Cushing


Filed Under:
court, data breach, file sharing, ftc, injunction

Companies:
labmd, tiversa



Court Stays FTC's LabMD Injunction; No Deterrent In Punishing A Company It Helped Kill

from the killing-a-horse-just-to-beat-it dept

Despite turning LabMD into a stone -- based on some suspect data breach allegations by a data protection company engaged in shady sales tactics -- the FTC is still seeking to extract as much blood as possible. Thanks to the FTC's ongoing efforts against LabMD, the company has been closed, has less than $5000 to its name, and is fighting back against the commission with pro bono help.

The FTC wants to punish LabMD for a patient file that ended up file sharing services thanks to an employee's use of Limewire at work. (The file was in folder that end up being "shared" by default Limewire settings [My Documents].) Tiversa, a company that prowled file sharing services for sensitive documents in hopes of leveraging these into data security contracts, took this info to the FTC when LabMD refused to purchase its offerings.

Since that point, the FTC has bankrupted LabMD by forcing it to defend itself against a supposed breach that never resulted in the misuse of patient data. Tiversa has seen its own fortunes diminish, culminating in an FBI raid of its offices in March of this year.

The FTC overturned an Administrative Law Judge's (ALJ) decision in July, giving itself permission to restore its charges against LabMD for the breach -- ones the ALJ had dismissed. The FTC claims LabMD "left" the mistakenly-shared file out somewhere in the internet, as if the company actually had any way to "retrieve" it once it had been uploaded.

Seemingly unconcerned that LabMD is now a defunct company, the FTC still wants it to implement a series of expensive steps to ensure the data it won't be collecting in the future is better protected.

Having found that LabMD violated the FTC Act, the Commission’s Final Order will ensure that LabMD reasonably protects the security and confidentiality of the personal consumer information in its possession by requiring LabMD to establish a comprehensive information security program. It also requires LabMD to obtain periodic independent, third-party assessments regarding the implementation of the information security program, and to notify those consumers whose personal information was exposed on the P2P network about the unauthorized disclosure of their personal information and about how they can protect themselves from identity theft or related harms.

LabMD has asked for a stay of this injunction pending its appeal. That stay has been granted by the Eleventh Circuit Appeals Court. (via the Office of Inadequate Security)

The appeals court points out [PDF] several things about the stay the FTC is contesting, not the least of which is the company's inability to actually follow the injunction if granted, much less have any reason to do so, given its current situation.

The costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation. [...] The costs associated with these measures are hotly debated by the parties. LabMD says the costs will exceed $250,000. The FTC does not offer its own estimate, but disputes the $250,000 figure. Regardless, it is clear that the postage for the notice requirements alone would be more than $4,000. Certainly the costs of all the other measures would add to that amount.

LabMD is no longer an operational business. It has no personnel and no revenue. It now has less than $5,000 cash on hand. It reported a loss of $310,243 last fiscal year, and has a pending $1 million judgment against it on account of its early termination of its lease. LabMD cannot even afford legal representation, and is relying on pro bono services for this appeal.

Given the company's financial ruin, the injunction would serve no possible deterrent purpose. There's nothing left to destroy and, unfortunately, nothing to be gained by LabMD, even if it ultimately prevails.

Ordinary compliance costs are typically insufficient to render harm irreparable. But given LabMD’s bleak outlook, the costs of compliance pending appeal would constitute an irreparable harm. This is especially so because if LabMD is ultimately successful on appeal, the costs would not be recoverable in light of the FTC’s sovereign immunity.

Furthermore, the court feels there's absolutely no risk to the further exposure of patients' data, even with the file still supposedly in the wild. The company has its own copy, residing on a computer that is never connected to the internet. If a customer requests data, LabMD hooks it up to printer and mails or faxes them a hard copy.

As for the FTC's claim that a file that has been in the wild since 2005 would result in future breaches of patient confidentiality, the court is rather skeptical.

For those patients whose personal information was in the 1718 file, there is no evidence of a current risk to them. Specifically, there is no evidence that any consumer ever for nefarious purposes before this appeal terminates. suffered any tangible harm, or that anyone other than Tiversa, LabMD, or the FTC has seen the 1718 file. Although the FTC’s Order denying LabMD’s stay application says there remains a potential risk of harm to consumers whose information was in this file, we think it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious reasons before this appeal terminates.

Finally, the court has a few choice words for the FTC's dictionary attack -- used to shore up its weak claims of future harm from the escaped file.

[I]t is not clear that the FTC reasonably interpreted “likely to cause” as that term is used in § 45(n). The FTC held that “likely to cause” does not mean “probable.” Instead, it interpreted “likely to cause” to mean “significant risk,” explaining that “a practice may be unfair if the magnitude of the potential injury is large, even if likelihood of the injury occurring is low.” The FTC looked to different dictionaries and found different definitions of “likely.” It is through this approach that it argues its construction is correct, considering the statute’s context as a whole.

Even respecting this process, our reading of the same dictionaries leads us to a different result. The FTC looked to dictionary definitions that say “likely” means “probable” or “reasonably expected.”Reliance on these dictionaries can reasonably allow the FTC to reject the meaning of “likely” advocated by LabMD, that is, a “high probability of occurring.” However, we read both “probable” and “reasonably expected,” to require a higher threshold than that set by the FTC. In other words, we do not read the word “likely” to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.

The sick thing is that even if LabMD ultimately prevails, it won't matter. It cannot recover any of its expenses and the company has been gutted by its fight against the FTC. That the whole situation appears to have stemmed from a data protection company's shady sales pitch is even worse. Tiversa not only was uncooperative during the FTC's investigation of LabMD, but it has also drawn the attention of the House Oversight Committee, which was unimpressed by the Tiversa's tactics both before and after the FTC's investigation of LabMD.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Dan (profile), 14 Nov 2016 @ 6:15am

    Supposed breach?

    A "supposed breach"? No, that's an actual data breach--the data left their control without their knowledge or permission. And it left in a particularly stupid manner, too. It does sound like the FTC's overreaching (and greatly so), but don't minimize the degree of LabMD's fail here.

    reply to this | link to this | view in chronology ]

    • identicon
      LabMD, 14 Nov 2016 @ 3:33pm

      Re: Supposed breach?

      You have no clue what you are talking about. And it's pretty scary that you think patient cancer care is less important than a 2008 data vulnerability that didn't it expose the network nor a single patient to har, The FTC knows all this...they just rely on people like you to fool everyone. Believe me, the FTC used the entire weight of the federal government to try to find one. They're such zealots they didn't, but better punish a company than quit. Good luck with your expectation of perfection in medicine.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Nov 2016 @ 7:12am

    Sorry TD...

    No win on this one.

    For once the FTC is doing it's job. I work in IT, it sucks to see people lose their jobs, but at least we can make an example here.

    Take patient privacy seriously or die in the fallout! Hope the company sues the nut fucking glory hole that installed lime-wire on the corporate network in an uncontrolled fashion!

    If a company takes security seriously, then you will only allow white-list applications to run.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Nov 2016 @ 7:24am

      Re: Sorry TD...

      Yeah. Everyone here is pretty much sucking all-round, but this was a (presumably) HIPAA machine that was connected directly to the public internet, with admin rights given to someone so ill-trained as to have installed LimeWire on it.
      Game over, right there.

      reply to this | link to this | view in chronology ]

      • identicon
        LabMD, 14 Nov 2016 @ 3:37pm

        Re: Re: Sorry TD...

        Limewire wasn't installed by LabMD. It was 2008. There was no HIPAA violation per HHS. Fact people. Please. FACTS.

        reply to this | link to this | view in chronology ]

    • icon
      Wyrm (profile), 14 Nov 2016 @ 9:20am

      Re: Sorry TD...

      You fail to get the point in the article.

      LabMD is already dead. This lack of security was a large mistake and they deserved a penalty for it. It has to be made clear that personal information, medical one at that, has to be taken seriously.

      But this is another matter: it's about adding a possibly large expense to comply with an injunction that's basically irrelevant. The company is bankrupt, business is off, data collection is over. What point is there now to tell them to better protect the data they will not collect?

      reply to this | link to this | view in chronology ]

      • identicon
        LabMD, 14 Nov 2016 @ 3:39pm

        Re: Re: Sorry TD...

        Cough...hack...cough....you can't possibly work in medicine. You don't get what's going on rifts under your nose, do you? The FTC is incompetent. They were working with hackers not knowing they were hackers and when they covered it up and then I wrote a boom about it they went on an attack mission. Hard to believe I bet. Shocker. Yeah...they rely on that. Please get the facts first.

        reply to this | link to this | view in chronology ]

    • identicon
      LabMD, 14 Nov 2016 @ 3:36pm

      Re: Sorry TD...

      The FTC relied on a crook who was making up metadata to extort companies and even Obama. Had they verified evidence they wouldn't have gone after 85 companies with such vicious lust...they'd have gone after the hacker that became their best friend and partner in crime. Believe me, they weren't doing their job.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Nov 2016 @ 7:37am

    Why is LabMD appealing?

    Based on the pieces quoted in the Techdirt article, even if LabMD prevails on every count, they are still ruined and have no realistic hope of restarting their business or recovering any the money they have spent to date. What do they hope to gain if they win? If the FTC ultimately loses all the appeals, it will just shrug and move on. I don't see how winning on the merits is worth anyone's time arguing the case. Since their counsel is working pro bono on this, the only basis I can see is that their counsel has enough free time and motivation that he/she/they want to beat the FTC just to get a line on their CV. That seems pretty thin to me.

    reply to this | link to this | view in chronology ]

    • identicon
      LabMD, 14 Nov 2016 @ 6:20pm

      Re: Why is LabMD appealing?

      LabMD is appealing because of the corruption and violation of the constitution by the FTC. The law firm that is defending LabMD realizes that if LabMD loses that means every company in the country is in violation of the FTC act if they have vulnerable data but no victim and no tangible harm. That level of punishment and calling that a violation against the law and outside the FTC's power. But the FTC bullies most into settling before one can get to court so they never get smacked down....until now.

      reply to this | link to this | view in chronology ]

      • identicon
        Justin Shafer, 16 Dec 2016 @ 2:54pm

        Re: Re: Why is LabMD appealing?

        Anyone sharing medical data deserves a large fine. When a file is shared, their may never be logs, as in this case. You NEVER REALLY know who downloaded it, in some scenarios.

        I am glad to see the FTC take them to task.

        reply to this | link to this | view in chronology ]

  • icon
    Oninoshiko (profile), 14 Nov 2016 @ 9:00am

    I'm glad LabMD is closed.

    Any company that would have such poor HIPPA compliance that they would let patient data out on Limewire should be closed.

    That said, there is no point in continuing to go after them. figure out how to move the data their clients need to another company and purge everything this company has, and move on.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 14 Nov 2016 @ 10:02am

      Re: I'm glad LabMD is closed.

      If you applied the same logic to every government body that has leaked or had data stolen, you would want every computer using agency closed by the end of the day. Leaks happen daily all over the place. They are selectivly enforcing punishments and ignoring reality (like this company no longer existing and not needing to pay for future changes or actions to prevent it from happening again)

      reply to this | link to this | view in chronology ]

    • identicon
      LabMD, 14 Nov 2016 @ 3:41pm

      Re: I'm glad LabMD is closed.

      700000 cancer patients have their lab closed. Are you buyers no the drinks? And before you say something so cruel, please research the facts. Maybe google the congressional report. I don't know...maybe think!

      reply to this | link to this | view in chronology ]

      • identicon
        Justin Shafer, 17 Dec 2016 @ 8:09am

        Re: Re: I'm glad LabMD is closed.

        Use another cancer lab that takes data security more seriously, and doesn't mind notifying patients of possible harm, regardless if it was 2008 or HIPAA.

        Done and Done.. We don't need cancer labs like that.

        reply to this | link to this | view in chronology ]

  • icon
    Aaron Walkhouse (profile), 14 Nov 2016 @ 10:13am

    Here's another point that's been missed or ignored:

    There's no record or even allegation that anybody [other than
    this anti-P2P extortion/lobbying firm] ever downloaded or even
    knew the file existed at all.

    They did intensive scans of P2P networks, so intensive that
    they literally found everyone who had a PDF or any other
    document file; except savvy users who had any blocklist.

    Odds are very high they found it first, and in attempting to
    extort LabMD caused it to be taken offline before anyone else
    had a chance to even find it. ‌ That's their "business model". ‌ ‌ ;]

    reply to this | link to this | view in chronology ]

    • identicon
      LabMD, 14 Nov 2016 @ 3:40pm

      Re: Here's another point that's been missed or ignored:

      Thank you!

      reply to this | link to this | view in chronology ]

    • icon
      Oninoshiko (profile), 14 Nov 2016 @ 5:55pm

      Re: Here's another point that's been missed or ignored:

      That it wasn't downloaded isn't relevant. That it was available for download is.

      The fact that the (shady!) "security firm" downloaded it means it was downloaded by at least one person who wasn't supposed to have it.

      reply to this | link to this | view in chronology ]

      • identicon
        LabMD, 14 Nov 2016 @ 6:16pm

        Re: Re: Here's another point that's been missed or ignored:

        In 2008! Define download! Steal...take...hack...are you kidding? So every firm with a vulnerability is violating the act? Really? I guess you just jump to the verdict and not waste time with the trial. What exactly do you do professionally? It can't be compliance or management.

        reply to this | link to this | view in chronology ]

        • identicon
          Justin Shafer, 17 Dec 2016 @ 8:45am

          Re: Re: Re: Here's another point that's been missed or ignored:

          Only a helpless idiot would ask others to define "download" after putting that many people at risk. LabMD shared the file over Limewire, they should thankful it wasn't found more places then it already had.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 Nov 2016 @ 12:29pm

    shouldnt Tiversa have been brought up on blackmail charges? buy our services or we talk? then when that is done, go for the violation of 18 us 1030 a1 sorry, a4 and i am curious, my word against yours but if the govt didnt see this 'breach' then it is hearsay and Tiversa must have hacked in!

    reply to this | link to this | view in chronology ]

  • identicon
    LabMD, 14 Nov 2016 @ 3:29pm

    Ready...Aim...Fire

    This was 2008...LabMD did not install nor authorize the use of Limewire. You have no clue what you're talking about, playing a very incomplete story, but let me ask you this. Should a medical facility be closed because of a data vulnerability, because it wasn't a legal breach and HHS said there was no HIPAA violation...so what say you, genius?

    reply to this | link to this | view in chronology ]

    • identicon
      Justin Shafer, 17 Dec 2016 @ 8:52am

      Re: Ready...Aim...Fire

      An employee at LabMD.. a female.. installed Limewire without permission.

      According to the book, Devil in the Beltway... Shit happens. I don't feel sorry for LabMD, not one bit.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.