Duane Lawrence for Bloomberg BusinessWeek:
That Tuesday, LabMD’s general manager came in to tell Daugherty about a call he’d just fielded from a man named Robert Boback. Boback claimed to have gotten hold of a file full of LabMD patient information. This was scary for a medical business that had to comply with federal rules on privacy, enshrined in the Health Insurance Portability and Accountability Act. I need proof, Daugherty told his deputy. Get it in writing.
Boback e-mailed the document. It was a LabMD billing report containing data, including Social Security numbers, on more than 9,000 patients. Boback quickly got to the sales pitch: His company, Tiversa, offered an investigative service that could identify the source and severity of the breach that had exposed this data and stop any further spread of sensitive information.
LabMD’s four-person IT team found the problem almost immediately: The manager of the billing department had been using LimeWire file-sharing software to download music. Without knowing it, she’d left her documents folder, which contained the insurance report now in Tiversa’s possession, open for sharing with other users of the peer-to-peer network.