By: Patrick Massari
After nearly one year, the Federal Trade Commission’s (FTC) enforcement action against LabMD, Inc., a cancer detection company, resumed (In re: LabMD, Inc., No. 9357). After much anticipation, LabMD called to the stand Richard Wallace, a former employee turned whistleblower of Tiversa, Inc. (the company that provided the primary evidence relied upon by the FTC in bringing this enforcement action). According to LabMD’s attorney Reed Rubinstein, Wallace’s testimony confirmed that “the FTC action was based on manufactured evidence.”
Specifically, the FTC’s case has hinged on whether a LabMD file with confidential patient information was located on a publicly available network. Wallace testified in open court that although Tiversa told FTC that it located the file at various IP addresses, this simply was not true. To the contrary, Wallace said that Tiversa sought to “monetize” a business model where it would fabricate IP addresses where confidential information was available. According to Wallace, Tiversa would then contact the “offending” company with a proposal to pay money to Tiversa to remediate the cybersecurity threat, or face prosecution from the FTC for violating federal laws regarding data security practices. When LabMD refused to pay Tiversa, Tiversa’s CEO Robert Boback “basically said F him, make sure he’s at the top of the list.” According to Wallace, the list (given to FTC) identified companies that refused to hire Tiversa, but for which Tiversa fabricated IP addresses with confidential information.
With regard to the primary exhibit upon which FTC’s case rests, Walllace confirmed the Judge’s insightful observation that “[Exhibit] CX 19, these four IP addresses were created by you and they’re actually for all practical purposes they’re fake as far as the aging file was not found on these [four] IP addresses…” Wallace added: “…the actual files that were doctored up were never provided to LabMD. They just — I just had to put them in the data store so they would look real.” Despite the opportunity, FTC chose not to question Wallace at this time.
This testimony supports the assertion that FTC never fulfilled its obligation to confirm the key information upon which it relied to bring this enforcement action, which, for all practical purposes, has ended LabMD’s business. Indeed, it confirms what LabMD has argued in motions and publicly since September 2013: that FTC’s case against LabMD is based upon a crime – the theft of LabMD’s confidential medical files – and a lie – Tiversa misled Congress, FTC, and LabMD in misrepresenting that the file was available on other IP addresses.
At this time, the parties await FTC’s decision on whether it intends to present more testimony in light of LabMD’s case, and Wallace’s testimony.