Tiversa still disputes the testimony, but the case raises questions of procedure and even extortion for an otherwise reputable security company. For digital security firms, there is a fine line between identifying weaknesses, and exploiting them to prove the value of a company’s services. What happens if a security company crosses the line?

But now Tiversa itself has come under fire: a staff report published today by Rep. Darrell Issa (R-CA) describes "a troubling pattern" of falsified information from Tiversa, in the service of an "unethical business model." For years, Daugherty has alleged that the security firm referred LabMD to the FTC as retaliation after he refused to buy their services, and new testimony from a former Tiversa employee suggests he may be right.

Daugherty’s FTC troubles started over a data breach he says never occurred. In the summer of 2008, a single file containing social security numbers and treatment codes for nearly 9,000 patients was discovered on a peer-to-peer sharing network. The security company Tiversa downloaded the file, confirming a security flaw and giving the FTC grounds for an ongoing case against LabMD.

* *

Tiversa first noticed LabMD in July of 2008, doing a routine scan of companies on peer-to-peer networks. At the time, peer-to-peer services like Limewire and Kazaa were still massively popular, and they opened up a new way for data to leak. If a company had a peer-to-peer program on one of its computers (typically because an employee was trying to download music at work), it could expose sensitive files to anyone on the network who cared to look. That led to a real security problem and a market niche for firms like Tiversa, which specializes in finding that data and tracing it back to its source.

In LabMD’s case, an employee had installed an unauthorized copy of Limewire Workstation, opening up a company hard drive to anyone snooping through the service. Tiversa seized a 1,718-page file that contained data on more than 9,000 patients, a massive violation of patient confidentiality. If the file ever got out, it would be a hugely damaging breach and expose LabMD to catastrophic lawsuits.

What happened next is controversial. Tiversa CEO Robert Boback says he reported the breach as routine and told LabMD what he knew. When they asked for more details, he said he only had the data the scan had turned up, but could investigate more if LabMD wanted to hire Tiversa full time. Boback left them with his company’s rates and figured he had done his duty.

Daugherty saw the same conversation as veiled extortion. He believes Tiversa inflated the threat to sell LabMD on the firm’s services, and began retaliating when the medical testing company didn’t bite. Unsure of which employee was using the service, LabMD had trouble getting the file off the network, and Tiversa wasn’t shy about reminding them how serious the issue was. "We have continued to see individuals searching for and downloading copies of the file that was provided," Boback wrote to Daugherty in one email, shortly after the initial breach. "If you need a breakdown of the various state laws regarding breach notification, I can provide one for you."

Michael Daugherty, LabMD CEO

Behind the scenes, things may have been even more aggressive. A Tiversa employee named Richard Wallace recently testified that, after talks between the companies broke down, LabMD was added to a list of outstanding breaches to be reported to the FTC. According to Wallace, the purpose of the list was, "to let them know that an enforcement action is coming down the line and they need to hire us or face the music, so to speak." The FTC was already investigating peer-to-peer sharing problems, and having LabMD on the list exposed the company to an immensely damaging FTC complaint that ultimately destroyed it. To Daugherty, it was simple retaliation — because he didn’t pay for Tiversa’s services, he ended up under the hammer of the FTC.

Boback says Wallace’s claims are "absolutely ridiculous," characterizing him as a disgruntled employee out for revenge who likely perjured himself as part of the testimony. He says his conversations with Daugherty were about fixing the breach, not hiring Tiversa, and that once the FTC’s breach investigation began, he was required by law to report anything he knew. "There was no sales pitch," Boback says. "It was never a sales pitch."

But now there are new questions as to whether Tiversa’s data was accurate. Boback says the Tiversa databases showed seven computers in possession of the file, any of which could have shared the file with countless others. But Wallace says the other IP addresses were fabricated to make it seem like the LabMD data had traveled farther than it really had. What’s more, Wallace says it wasn’t the only time Tiversa tried out the trick.

Tiversa’s biggest claim to notoriety had to do with an even more serious target: the president’s helicopter. In the fall of 2008, the company discovered schematics for the president’s Marine One chopper being shared alongside the usual flood of pirated music. A defense contractor in Maryland had accidentally shared an early proposal for the helicopter’s avionics system, not realizing the file-sharing program would index his entire hard drive. A few months later, Tiversa went public with the news, announcing that they had discovered the plans being shared from an IP address in Iran. It was a black eye for the contractor, and public proof of how useful a platform like Tiversa’s could be for companies guarding sensitive data.

But according to Wallace, the story wasn’t true. "That file had already been dealt with by law enforcement, had already been remediated and taken offline," Wallace told the FTC last week. "Mr. Boback found out about it some time later and said we need to make hay out of this, so the media was contacted and the story then was that the file had been found at an Iranian IP address." Since the IP address was the only firm evidence a peer-to-peer scan would produce, Wallace says they just needed to make up an address in the Iranian block that wouldn’t be too easy to trace. That one tweak could make it look like the company was still bleeding data, even after the breach was fixed.

The company ran the same playbook on LabMD, according to Wallace. He says that in 2013, long after the FTC complaint was filed, he was asked to log a new set of IP addresses where the file had been detected, increasing the imaginary range of the breach. It’s unclear how that data was meant to be used, although the company was engaged in an ongoing defamation suit with Daugherty at the time. Still, according to Wallace, the data had only ever actually been in two places: LabMD’s computers and Tiversa’s. "The originating source in Atlanta is the only source that it’s ever been seen at," Wallace testified.

A new report, commissioned by House Oversight Committee chairman Darrell Issa, goes even further. The report accuses Tiversa of a "scheme to defraud the congress and executive agencies" by providing false information in a number of cases, including a Chicago AIDS clinic that shut down under circumstances similar to LabMD. The report also alleges that Tiversa also failed to comply with a number of subpoenas and created "a culture of intimidation," adding credence to Wallace's testimony. "Throughout this investigation, the Committee routinely found that the information provided by Tiversa either could not be verified, or simply did not make sense," the report states. "The whistleblower's testimony that Tiversa routinely falsified documents, however, filled in those gaps."