A former Tiversa investigator says the company faked data breach findings on LabMD and other companies.
A former Tiversa investigator says the company faked data breach findings on LabMD and other companies.

What started as LabMD questioning the authority of the Federal Trade Commission (FTC) and Rep. Darrell Issa, R-Calif., saying that security company Tiversa deliberately manipulated information to provoke FTC action against the cancer testing center, has now erupted in accusations from a former Tiversa employee that the company routinely faked data breaches to solicit other companies to pay for its services.

For years, LabMD has been locked in a court battle over an FTC claim, and likely enforcement action, that eventually caused the Atlanta-based company to shutter its operations.

In 2009, the FTC began investigating the breach of about 9,000 LabMD customers, where names, Social Security numbers, dates of birth and personal health insurance information were allegedly exposed on publicly accessible peer-to-peer (P2P) file-sharing networks.

Despite push back from LabMD, the FTC filed a complaint against the company in late October of 2013. Additionally, a court ordered on March 10, 2014, that the company could not inquire into FTC's legal standards, used in the past, or currently, for determining whether an organization's data security practices are deemed to be “unfair” (under Section 5 of the Federal Trade Commission Act, PDF). LabMD won a small victory in May 2014 when an administrative law judge backed LabMD's argument that the FTC should testify as to the data security standards to which it intends to hold LabMD.

With accusations flying that the information on the breach provided by Tiversa was suspect, by June, a congressional committee had called the information into question in a letter to the FTC penned by Darrell Issa, the chairman the House Committee on Oversight and Government Reform. Issa's letter (PDF) noted the committee was concerned that Tiversa's “inaccurate” findings may have “played a role in the FTC's decision to initiate enforcement actions against LabMD.”

In its letter, the House committee also said it had “substantial concerns” about the relationship between the FTC and Pittsburgh-based Tiversa, a peer-to-peer intelligence provider. Issa even went as far as to say that Tiversa may have manipulated information pertaining to the LabMD breach.