'Extortionist' cybersecurity firm headed back to court • The Register

LabMD gets another shot at defamation claim against 'extortionate' infosec biz
But keep your attorney on a 'short leash' against Tiversa, court warns
Jessica Lyons Hardcastle Thu 1 Sep 2022 // 03:49 UTC
4 comment bubble on white

LabMD, the embattled and now defunct cancer-testing company, will get another chance at suing security firm Tiversa for defamation following an appeals court ruling.

The testing laboratory has long alleged that: Tiversa illegally obtained a 1,178-page computer file containing confidential data on more than 9,000 LabMD patients back in 2008; lied about the file being publicly available on a peer-to-peer file-sharing network and that it was downloaded by miscreants; and tried to use this alleged privacy fiasco to bully the medical company into paying for Tiversa's incident response services to the tune of $475 an hour.

Tiversa has since been acquired by risk consulting biz Kroll.

According to LabMD, it declined to hire Tiversa after it could find no evidence of a leak. And in response, the cybersecurity shop retaliated against LabMD, the medical company claimed.


First, Tiversa handed over the 1,718-page computer file to a former director of the Center for Digital Strategies at Dartmouth College who subsequently published critical research titled "Data Hemorrhages in the Health-Care Sector," LabMD claimed. This paper did not name LabMD but included a redacted version of the file.

Additionally, Tiversa provided this patient data to America's consumer watchdog, the FTC, claiming it found the massive file on a public peer-to-peer network, and that crooks were still downloading the sensitive data from that network.

This spawned a legal complaint against LabMD by the FTC, which the testing firm said cost it "virtually all of its patients, referral sources, and workforce" and forced it out of business in 2014.

Triversa whistleblower steps up
Later, a Tiversa whistleblower claimed he actually downloaded the file from one of LabMD's servers, and fabricated evidence that the data had been shared by criminals on a public peer-to-peer network. This set off a congressional-level investigation into Tiversa, which found the security company "often acted unethically and sometimes unlawfully..." The probe also revealed close links between the FTC and Tiversa.

With that out in the open, LabMD successfully contested and overturned the punishment handed down against it earlier by the FTC. But according to appeal court documents, "although it was awarded attorneys' fees from the government in the amount of almost $850,000, that was too little too late. LabMD's business was destroyed."

LabMD next filed a lawsuit in Georgia against Tiversa, alleging it violated America's Computer Fraud and Abuse Act and Georgia's computer crimes statute, along with other allegations related to the patient data. A judge dismissed those claims.

Feds raid 'extortionist' IT security biz Tiversa, CEO put on leave
Rogue cybersecurity firm killed cancer testing lab, claims ex-employee
Crooks target top execs on Office 365 with MFA-bypass scheme
Now Oktapus gets access to some DoorDash customer info via phishing attack
A second LabMD lawsuit against Tiversa, filed in Pennsylvania, alleged defamation, negligent misrepresentation, fraud, and other charges, and claimed the security shop violated the Racketeer Influenced and Corrupt Organizations (RICO) Act.

These claims were also tossed out. The district court judge had, notably, blocked expert testimony supporting LabMD's claims that Tiversa illegally accessed or obtained its file containing patient data, on the basis the testimony would't be needed. It would appear the district judge decided the expert testimony would only be needed if LabMD's claims survived Tiversa's early motion to dismiss the case, and then approved the motion, thus throwing out the case.

The judge also sanctioned LabMD due to the "irrelevant" questions its attorney James Hawkins asked Joel Adams, chairman of Tiversa's board, during a deposition. This, according to the appeals court, included asking:

If there was something secretive about [Adams's] children, strengths and weaknesses of a certain employee, the workplace culture at Tiversa, leadership styles, guns in the workplace, an AIDS clinic in Chicago, Edward Snowden…

And so on. Hawkins is said to have continued this kind of "irrelevant" questioning in further depositions of witnesses, which Tiversa complained about leading to the aforementioned sanctions. The district judge then held LabMD in contempt when it said it was unable to pay up.

From what we can tell, at least some of Hawkins' questions stemmed from criticisms raised [PDF] by the aforementioned congressional report.

This week, 3rd US Circuit Court of Appeals judges unanimously [PDF] sent the defamation claims back to the district court to reconsider, saying the lower court was wrong to issue a summary judgment against LabMD primarily because the "prohibition on expert testimony was unwarranted."

The appeals court judges, as part of their assessment of this whole saga, noted the whistleblower's claims that Tiversa "had essentially made an extortionate business model out of accessing a company’s files, fabricating evidence of the files spreading across a network, using the false impression of a leak to sell data security remediation services to the company, and reporting the company to the FTC."

Attorneys for LabMD and Kroll could not be reached for comment.

The lower court's dismissal of the RICO claims, as well as tortious interference with business relations, fraud, and negligent misrepresentation will stand, though. The appeals court also ruled the sanctions and contempt finding weren't necessary despite LabMD's lawyer's odd line of questioning. The appeal judges did, however, issue a warning: