Former federal prosecutor Mary Beth Buchanan and her most recent law firm, Bryan Cave Leighton Paisner, face allegations that they covered up a whistleblower client's use of “FBI surveillance software” to hack private patient data stored by LabMD Inc., a beleaguered medical testing company.

A lawsuit filed April 28 in Manhattan federal court accuses Buchanan, a former U.S. attorney in Pittsburgh, of violating the Ethics in Government Act and allegedly hiding that violation by advising a whistleblower client, Richard Wallace, to give incomplete testimony in a Federal Trade Commission enforcement action against LabMD.

Before it began winding down operations in 2014 amid an FTC case related to a 2008 data breach, LabMD, based in Atlanta, was a medical testing laboratory that provided cancer diagnoses for urologists. LabMD and its founder, Michael Daugherty, represented by Alpharetta, Georgia-based lawyer James Hawkins, lodged the late April suit against Buchanan and Bryan Cave.

According to the complaint, Buchanan worked as a federal prosecutor between 2001 and 2009. During that time, she worked in conjunction with Wallace, a former forensic analyst at Tiversa Inc., which marketed itself as a cybersecurity business. The suit alleges that in 2007, Buchanan authorized Tiversa to use proprietary FBI surveillance software programs in connection with a federal child pornography investigation.

LabMD alleges that Wallace, while still a Tiversa employee, then used the same surveillance software in 2008 to access company files that contained personal health information on LabMD's test subjects. Wallace's hack, according to the suit, started a chain of events that led to the FTC investigation of LabMD over the data breach.

“Buchanan and BCLP kept Buchanan's [ethics] violation secret by directing Wallace not to testify about his prior work with Buchanan and, in particular, not to disclose his use of the FBI surveillance software and equipment authorized by Buchanan to hack into and take from a computer at a cancer detection laboratory in Atlanta, Georgia, a file containing confidential information on over 9,000 patients,” the complaint said.

The suit referred to Buchanan as a partner at Bryan Cave, which she joined in 2013, according to a statement at that time. As of Wednesday, however, Buchanan was not listed on the firm's website and the firm said in a statement that she has left to become an in-house lawyer at one of Bryan Cave's clients.

“Mary Beth Buchanan has joined a client in an in-house capacity. This move had been planned for many months and has nothing to do with the lawsuit or its allegations,” the firm's statement said.

A firm representative did not name the client where Buchanan now works and did not directly respond to a request for comment on the LabMD suit's allegations.

The lawsuit targeting Buchanan and Bryan Cave is part of a much larger saga that began with the 2008 data breach, and which later prompted the FTC probe and effectively led to the medical testing company's demise.

In May 2008, Tiversa contacted LabMD to say that, using the peer-to-peer network service LimeWire, it had gained access to a LabMD document detailing private health information on some 9,300 people. The document included names, Social Security numbers, information about which medical tests were performed on the people and, in some cases, health insurance information and policy numbers, according to a 2016 FTC ruling in the agency's LabMD case.

Tiversa had found the private health information in February 2008, a few months before contacting LabMD. Wallace was the Tiversa employee who actually did the work of accessing and downloading the document. Tiversa later alerted the FTC about the compromised data. The agency has said in court documents that, while it began its probe in light of Tiversa's information, its own independent investigation supported a data breach case against LabMD.

After Tiversa alerted LabMD about the compromised data, the medical testing company conducted an internal investigation and learned that its billing manager had installed LimeWire on a work computer, primarily to download music. The employee inadvertently had the entirety of her computer's “My Documents” folder set to share, including the file that contained the private patient information, according to the FTC case and the April lawsuit.

Tiversa, meanwhile, repeatedly tried to convince LabMD to purchase its cyber protection services in light of the LimeWire breach. Tiversa later falsely claimed it had uncovered evidence that the private information had spread further through peer-to-peer networks, the FTC found in 2016.

LabMD rebuffed Tiversa's solicitations, viewing them as an attempted shakedown, according to the April lawsuit. Tiversa later became the subject of a federal investigation into allegations that it falsified information about companies that declined to purchase its cyber protection services, and then provided that falsified information to the government.

Wallace was eventually fired from Tiversa. The April complaint alleges he was let go for refusing to lie under oath at the behest of Tiversa's CEO. He became a whistleblower and was granted immunity for his testimony in the FTC enforcement action. In early 2015, Buchanan began representing him in that capacity.

Wallace testified in the FTC action that he used “a P2P network and standard P2P application like LimeWire to download the file” on LabMD's computers, according to the FTC's 2016 ruling. He also testified that, under direction from Tiversa's CEO, he doctored the file to make it look like it had spread further through peer-to-peer networks.

Citing that testimony, an FTC administrative law judge initially threw out the agency's data breach case against LabMD. But after an appeal, the FTC's commissioners reversed and held LabMD liable for failing to protect confidential health information.

The April 28 complaint, however, disputes the account of how the LabMD hack took place. Instead of using a standard peer-to-peer software program, LabMD alleges that Wallace really used FBI surveillance software to carry out the hack.

“Buchanan and BCLP intentionally withheld from the FTC and LabMD information and documentation evidencing Wallace's use of the FBI surveillance software and equipment authorized by Buchanan,” the suit said.