Cyberextortion by US gov, or simple P2P security lapse by medical firm?
The ongoing data leak saga between medical firm LabMD and “The Man,” in the form of the Federal Trade Commission (FTC) of the United States, has entered its next stage.
This is a curious story that would be amusing were its import not so serious.
If everyone who has contributed to the story is to be believed, it unfolded over a five year period, and goes something like this (remember, this is not necessarily what happened, but what has been variously alleged):
- In 2008, Tiversa, a “Peer to Peer (P2P) intelligence services” company out of Pittsburg, Pennsylvania, finds a stash of Personally Identifiable Information (PII) from over 9000 patients of LabMD. Apparently, a 1,718-page spreadsheet of health insurance billing information was accessible via a P2P file sharing network.
- LabMD, out of Atlanta, Georgia, declines to deal with Tiversa’s complaint, on the grounds that Tiversa is using the data in its possession to shill LabMD into inking a deal for security consultancy.
- In 2009, Tiversa decides to hand over the data to the authorities.
- The FTC gets involved in 2010, asking LabMD to provide documents so it can review the case.
- LabMD digs its heels in, refusing to agree to a so-called consent decree imposing to a security audit every two years for the next 20 years.
- In 2011, the FTC begins a formal investigation.
- LabMD files a petition to squash the investigation, on the grounds that Tiversa is an unobjective witness.
- The FTC disagrees, though not without one dissenting opinion stating that “the commission should avoid even the appearance of bias or impropriety by not relying on [Tiversa’s] evidence or information in this investigation.”
- On 29 August 2013, the FTC files a formal complaint against LabMD, for “failing to protect consumers’ privacy.”
- On 17 September 2013 (which, of course, is the one part of the story that hasn’t actually happened yet), Michael J. Daugherty, the CEO of LabMD, will publish a book about the saga so far, The Devil Inside the Beltway [*].
Daugherty’s doughtily-named book claims to document “a government power grab and intimidation that if not for the fact that it is all real, would make for an a brilliant novel.”
The book’s marketing material says that what “began with medical files taken without authorization from a laboratory, turned into a government supported extortion attempt,” and vows “to ensure that this does not happen to any other American.”
I’m going to sit on the fence here, and decline to take sides (I’ll leave that to you, our readers, in the comments below).
Instead, I’ll just point out that there is one thing that doesn’t seem to be in doubt: the fact that the offending data was, indeed, grabbable via P2P, five long years ago.
And, as the FTC very plainly points out in its latest communication on this issue:
P2P software is commonly used to share music, videos, and other materials with other users of compatible software. The software allows users to choose files to make available to others, but also creates a significant security risk that files with sensitive data will be inadvertently shared. Once a file has been made available on a P2P network and downloaded by another user, it can be shared by that user across the network even if the original source of the file is no longer connected.
How serious, then, can it possibly be that this data “got out” back in 2008?
How long does the risk last after a data leak?
Well, according to the FTC:
[I]n 2012 the Police Department [in Sacramento, California,] found LabMD documents in the possession of identity thieves. These documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers. The complaint alleges that a number of these Social Security numbers are being or have been used by more than one person with different names, which may be an indicator of identity theft.
Rather a long time, apparently.
Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8WNatsr9S-0/