LabMD, owned by Michael Daugherty, was an Atlanta-based company that tested blood, urine and tissue samples for urologists. In May of 2008 they were approached by a cybersecurity company called Tiversa who stated they had gotten hold of a list of LabMD’s patient list including full contact information and social security numbers. They e-mailed the file to Michael Daugherty along with a sales pitch: Hire us, and we can determine how this breach actually happened and put preventative measures in place to secure your network. In the meantime, LabMD’s IT department found the source of the leak – one employee in the billing department had LimeWire installed on their PC, and without knowing it, had left her documents folder open for sharing on other peer-to-peer networks.
Sensing an extortion attempt, Michael Daugherty refused to deal with Tiversa. Tiversa continued with a series of warnings and implied threats including a plea to hire them before the FTC “finds out”. These attempts were ignored by Daugherty. Eventually (you guessed it), the FTC got involved and began legal proceedings against LabMD.
Eventually Daugherty shut down LabMD due to the crushing legal costs fighting the FTC. But here’s where it gets interesting. Tiversa is now being investigated by the FBI for falsifying information, including providing fake documents to the FTC showing that leaked data had spread across the internet when in fact it had not. It appears that the only hackers involved with the companies they reported to the FTC were Tiversa themselves.
Last March Tiversa’s offices where raided by the FBI. It’s CEO has been put on leave. The investigation is ongoing.
All companies, large and small, should ensure they have basic security measures in place to protect themselves against cyber-criminals and from the legal difficulties that can result from a breach. But they also must take care to work with competent and reputable IT companies that can be trusted with their network security.