Ex-US Attorney, Bryan Cave Accused of Cover-Up in Legal Fallout From 2008 LabMD Hack
LabMD, a medical testing company mired in legal battles, alleges that Mary Beth Buchanan and Bryan Cave Leighton Paisner concealed key information in an FTC consumer protection case.
May 09, 2018 at 04:46 PM
6 minute read
Mary Beth Buchanan, former U.S. attorney for the Western District of Pennsylvania and former Bryan Cave partner. |
Former federal prosecutor Mary Beth Buchanan and her most recent law firm, Bryan Cave Leighton Paisner, face allegations that they covered up a whistleblower client's use of “FBI surveillance software” to hack private patient data stored by LabMD Inc., a beleaguered medical testing company.
A lawsuit filed April 28 in Manhattan federal court accuses Buchanan, a former U.S. attorney in Pittsburgh, of violating the Ethics in Government Act and allegedly hiding that violation by advising a whistleblower client, Richard Wallace, to give incomplete testimony in a Federal Trade Commission enforcement action against LabMD.
Before it began winding down operations in 2014 amid an FTC case related to a 2008 data breach, LabMD, based in Atlanta, was a medical testing laboratory that provided cancer diagnoses for urologists. LabMD and its founder, Michael Daugherty, represented by Alpharetta, Georgia-based lawyer James Hawkins, lodged the late April suit against Buchanan and Bryan Cave.
According to the complaint, Buchanan worked as a federal prosecutor between 2001 and 2009. During that time, she worked in conjunction with Wallace, a former forensic analyst at Tiversa Inc., which marketed itself as a cybersecurity business. The suit alleges that in 2007, Buchanan authorized Tiversa to use proprietary FBI surveillance software programs in connection with a federal child pornography investigation.
LabMD alleges that Wallace, while still a Tiversa employee, then used the same surveillance software in 2008 to access company files that contained personal health information on LabMD's test subjects. Wallace's hack, according to the suit, started a chain of events that led to the FTC investigation of LabMD over the data breach.
“Buchanan and BCLP kept Buchanan's [ethics] violation secret by directing Wallace not to testify about his prior work with Buchanan and, in particular, not to disclose his use of the FBI surveillance software and equipment authorized by Buchanan to hack into and take from a computer at a cancer detection laboratory in Atlanta, Georgia, a file containing confidential information on over 9,000 patients,” the complaint said.
The suit referred to Buchanan as a partner at Bryan Cave, which she joined in 2013, according to a statement at that time. As of Wednesday, however, Buchanan was not listed on the firm's website and the firm said in a statement that she has left to become an in-house lawyer at one of Bryan Cave's clients.
“Mary Beth Buchanan has joined a client in an in-house capacity. This move had been planned for many months and has nothing to do with the lawsuit or its allegations,” the firm's statement said.
A firm representative did not name the client where Buchanan now works and did not directly respond to a request for comment on the LabMD suit's allegations.
The lawsuit targeting Buchanan and Bryan Cave is part of a much larger saga that began with the 2008 data breach, and which later prompted the FTC probe and effectively led to the medical testing company's demise.
In May 2008, Tiversa contacted LabMD to say that, using the peer-to-peer network service LimeWire, it had gained access to a LabMD document detailing private health information on some 9,300 people. The document included names, Social Security numbers, information about which medical tests were performed on the people and, in some cases, health insurance information and policy numbers, according to a 2016 FTC ruling in the agency's LabMD case.
Tiversa had found the private health information in February 2008, a few months before contacting LabMD. Wallace was the Tiversa employee who actually did the work of accessing and downloading the document. Tiversa later alerted the FTC about the compromised data. The agency has said in court documents that, while it began its probe in light of Tiversa's information, its own independent investigation supported a data breach case against LabMD.
After Tiversa alerted LabMD about the compromised data, the medical testing company conducted an internal investigation and learned that its billing manager had installed LimeWire on a work computer, primarily to download music. The employee inadvertently had the entirety of her computer's “My Documents” folder set to share, including the file that contained the private patient information, according to the FTC case and the April lawsuit.
Tiversa, meanwhile, repeatedly tried to convince LabMD to purchase its cyber protection services in light of the LimeWire breach. Tiversa later falsely claimed it had uncovered evidence that the private information had spread further through peer-to-peer networks, the FTC found in 2016.
LabMD rebuffed Tiversa's solicitations, viewing them as an attempted shakedown, according to the April lawsuit. Tiversa later became the subject of a federal investigation into allegations that it falsified information about companies that declined to purchase its cyber protection services, and then provided that falsified information to the government.
Wallace was eventually fired from Tiversa. The April complaint alleges he was let go for refusing to lie under oath at the behest of Tiversa's CEO. He became a whistleblower and was granted immunity for his testimony in the FTC enforcement action. In early 2015, Buchanan began representing him in that capacity.
Wallace testified in the FTC action that he used “a P2P network and standard P2P application like LimeWire to download the file” on LabMD's computers, according to the FTC's 2016 ruling. He also testified that, under direction from Tiversa's CEO, he doctored the file to make it look like it had spread further through peer-to-peer networks.
Citing that testimony, an FTC administrative law judge initially threw out the agency's data breach case against LabMD. But after an appeal, the FTC's commissioners reversed and held LabMD liable for failing to protect confidential health information.
The April 28 complaint, however, disputes the account of how the LabMD hack took place. Instead of using a standard peer-to-peer software program, LabMD alleges that Wallace really used FBI surveillance software to carry out the hack.
“Buchanan and BCLP intentionally withheld from the FTC and LabMD information and documentation evidencing Wallace's use of the FBI surveillance software and equipment authorized by Buchanan,” the suit said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
When Law Firms Get Hacked, Are Their Corporate Clients on the Hook?
What the Rumored Harvey and vLex Deal Says About Today's Legal Research Market
Shook Hardy, Seeking 'Critical Mass' in LA, Adds Trial Lawyers From K&L Gates
5 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
