Back in July, I reported that LabMD had unsuccessfully attempted to sue Tiversa in Georgia for allegedly stealing its property. At issue was a file containing PHI on 1,718 patients that Tiversa had downloaded as part of a research project after the file was exposed via P2P software on LabMD’s system. In its 2009 press release on its research, Tiversa did not name LabMD, but the matter eventually came to the FTC’s attention, who opened an investigation and took LabMD to court when it failed to fully comply with an investigative demand. LabMD was ordered to comply, and in August, the FTC sued LabMD for failure to adequately protect consumer information. LabMD responded forcefully to the complaint in a press statement, alluding to Tiversa as “Internet trolls.” In other statements, they’ve described Tiversa in other unflattering terms.
Now it seems that Tiversa is suing LabMD. Erin McAuley reports:
A cyber-intelligence company and its CEO sued the author of the book “The Devil Inside the Beltway,” claiming it falsely accused them of assisting “abusive government shakedowns” through “government-funded data mining & surveillance.”
Tiversa Holding Corp. and its co-founder and CEO Robert Boback sued LabMD Inc. and its CEO/author Michael J. Daugherty, in Federal Court.
Daugherty’s book is slated for publication on Sept. 17, by (nonparty) Broadland Press. Advance material published on the Internet identifies Daugherty as the CEO of LabMD.
Boback and Tiversa claim the book defames them: “In his video ‘trailer’ for the book, available on Mr. Daugherty’s personal website, Mr. Daugherty highlights his position as LabMD’s president and CEO and Mr. Daugherty alleges that Tiversa is part of a ‘Government Funded Data Mining & Surveillance’ scheme that engages in ‘Psychological Warfare’ and helps to assist in ‘Abusive Government Shakedown[s].’ See www.michaeljdaugherty.com. More specifically, Mr. Daugherty alleges Tiversa is conducting ‘300 Million Searches per day’ for ‘Homeland Security’ and the ‘Federal Trade Commission.’
Read more on Courthouse News.
Seemingly lost in most of the legal wrangling is the fact that it seems that no one whose data were in the “1718 file” were notified of the P2P exposure under HIPAA because LabMD took the position that no breach (as defined by HIPAA in 2008) had occurred.
So is HHS investigating this at all? HHS has not yet responded to an email sent by PHIprivacy.net inquiring as to whether HHS had ever opened (or concluded) an investigation of this incident. This post will be updated when I receive a reply.
Update: An HHS spokesperson responded to my inquiry with the following statement:
OCR decided not to join FTC in their investigation of these p2p sharings and we did not independently receive complaints. As you note, this was pre-HITECH, so there was and is no obligation on LabMD with respect to our breach notification requirements — whether any exist under state law would be for the state to determine.