Data Security Law Blog

The Tale of LabMD: New lawsuits charge ethics violations and fake data breaches

The LabMD data security case is anything but dull.  An 8-year (and counting) fight with the U.S. Federal Trade Commission, a U.S. House of Representatives Oversight and Government Reform Committee investigation into allegations of government overreach and collusion, a key witness granted governmental immunity and multiple related civil lawsuits scattered around the country.

And last week, LabMD – the target of an FTC data security enforcement action – sued a prominent former federal prosecutor over charges of ethics violations and unsealed its False Claims Act lawsuit against a cybersecurity firm, accusing it of falsifying data breaches as a way of landing new business.

Over the weekend, LabMD filed a federal lawsuit against the former U.S. Attorney for the Western District of Pennsylvania for alleged violations of the Ethics in Government Act.  The 27-page complaint, filed in Manhattan, accuses Mary Beth Buchanan, now in private practice, of participating in the LabMD enforcement action as counsel to a whistleblower, Richard E. Wallace, even though – the complaint charges – she participated “personally and substantially” in the case while the U.S. Attorney.

The complaint alleges that, while the top federal prosecutor in Pittsburgh, Buchanan authorized the FBI “to install a dedicated DSL line in Wallace’s home office … to access and use FBI proprietary surveillance software and equipment to search and seize evidence from the computers of child pornographers.”  LabMD claims that “Wallace used the FBI surveillance software … authorized by Buchanan …. to search for, access and download from a LabMD billing computer … a 1,718-page LabMD file containing confidential health information.”  That file is the basis of the FTC’s data security enforcement action against LabMD.  Wallace was then the director of special operations for Tiversa Inc., a cybersecurity forensics firm.

The LabMD complaint further alleges that Buchanan was eventually retained by Wallace to represent him in the FTC action and the former U.S. attorney and her firm “direct[ed] Wallace not to testify about his prior work with Buchanan, and in particular, not to disclose his use of the FBI surveillance software and equipment authorized by Buchanan to hack into and take from a computer … a [LabMD] file containing confidential information on over 9,000 patients.”

The Ethics in Government Act – passed after the Watergate scandal – places restrictions on former government officials and either prohibits or restricts their participation in matters in which they were involved while in the government.

The LabMD case dates back to 2010 when the Commission began investigating the Atlanta-based cancer detection lab’s data security practices.  After years of back-and-forth, an administrative law judge eventually tossed out the FTC’s case.  The Commission reversed and reinstated the case.  LabMD appealed to the U.S. Court of Appeals for the Eleventh Circuit.  The matter was argued last year and a decision is expected soon.  We have covered the LabMD case extensively on this blog.

Earlier last week, LabMD’s False Claims Act lawsuit against cybersecurity firm Tiversa was unsealed in New York federal court.  The complaint accuses Tiversa of faking data breaches to lure in new clients including the U.S. government.  Tiversa engaged in a scheme to defraud the United States Government out of “millions of dollars” by “fabricat[ing]” cybersecurity breaches in order to obtain lucrative federal contracts, according to the suit.

The complaint alleges that Tiversa searched “peer-to-peer” computer networks to locate and seize sensitive information from the federal government and used that information to falsely represent that there was a security breach when, in fact, it was easily remedied by removing the software from the infected computer.  To incite urgency, Tiversa allegedly identified IP addresses of known criminals or locations where it would be perceived as problematic for the information to be found, and falsely claimed that it had found copies of the identified files at those addresses as well.  According to the complaint, once Tiversa successfully induced the government entity into a contract, it continued to falsify alarming breaches in order to maintain the business relationship.

LabMD further contends that Tiversa employed the scheme on “public and private entities” nationwide, including the Department of Homeland Security, the Department of Defense and the Department of Education, to name only a few.

“It is a classic protection racket, updated for the digital age,” charges LabMD.

As always, we’ll continue to report on the LabMD case.