DARRELL E. ISSA. CALIFORNIA
CHAIRMAN

JOHN L. MICA, FLORIDA

MICHAEL R. TURNER, OHIO

JOHN J. DUNCAN. JR, TENNESSEE
PATRICK T. MCHENRY. NORTH CAROLINA
JIM JORDAN. OHIO

JASON 

TIM WALBERG, MICHIGAN

JAMES LANKFORD. OKLAHOMA
JUSTIN MICHIGAN

PAUL A. GOSAR. ARIZONA
PATRICK MEEHAN. 
SCOTT DESJARLAIS, TENNESSEE
THEY GOWDY. SOUTH CAROLINA
BLAKE FARENTHOLD. TEXAS

DOC HASTINGS, WASHINGTON
M. LUMMIS, WYOMING
ROB WOODALL. GEORGIA
THOMAS MASSIE, KENTUCKY
DOUG COLLINS. GEORGIA

MARK MEADOWS. NORTH CAROLINA
KERRY L, BENTIVOLIO. MICHIGAN
RON DESANTIS, FLORIDA

.J. BRADY
STAFF DIRECTOR

ONE HUNDRED THIRTEENTH CONGRESS

(112011;;er at the '(tlnitth ?vtates

Tarmac at Repreaentatihea
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

2157 RAYBURN HOUSE OFFICE BUILDING

WASHINGTON, DC 20515?6143

MAJOHI IY (202) 225?50?d
FACSIMILE [202] 225?39711
MINORITY [202] 225?505!

http?oversighthou segov

December 1, 2014

The Honorable Edith Ramirez

Chairwoman

US Federal Trade Commission
600 Avenue, NW
Washington, DC. 20580

Dear Ms. Ramirez:

ELIJAH E. MARYLAND
RANKING MINORITY MEMBER

CAROLYN B. MALONEY, NEW YORK
ELEANOR HOLMES NORTON.
DISTRICT OF COLUMBIA
JOHN F. TIERNEY. MASSACHUSETTS
WM. LACY CLAY. MISSOURI
STEPHEN F, MASSACHUSETTS
JIM COOPER, TENNESSEE
GERALD E. CONNOLLY, VIRGINIA
JACKIE SPEIER, CALIFORNIA
MATTHEW A. CARTWRIGHT, 
L. TAMMY DUCKWORTH, ILLINOIS
ROBIN L. KELLY. ILLINOIS
DANNY K, DAVIS. ILLINOIS
PETER WELCH, VERMONT
TONY CARDENAS. CALIFORNIA
STEVEN A. HORSFORD. NEVADA
MICHELLE LUJAN GRISHAM. NEW MEXICO
VACANCY

The Committee on Oversight and Government Reform has been investigating the
activities of Tiversa, Inc, a Pittsburgh?based company that purportedly provides peer?to-peer
intelligence services. The Federal Trade Commission has relied on Tiversa as a source of
information in its enforcement action against Inc., a Georgia?based medical testing
laboratory. The Committee has obtained documents and information indicating Tiversa failed to
provide full and complete information about work it performed regarding the inadvertent leak of
data on peer?to?peer computer networks. In fact, it appears that, in responding to an
FTC subpoena issued on September 30, 2013, Tiversa withheld responsive information that
contradicted other information it did provide about the source and spread of the data, a

billing spreadsheet file.

Despite a broad subpoena request, Tiversurovided onlv summary information to the FTC
about its knowledge of the source and spread of the file.

Initially, Tiversa, through an entity known as the Privacy Institute, provided the FTC with
information about peer-to-peer data leaks at nearly 100 companies, including LabMD.l Tiversa
created the Privacy Institute for the Specific purpose of providing information to the FTC.
DeSpitc Tiversa?s claims that it is a trusted partner, it did not want to disclose that it
provided information to the FTC.2

After the FTC filed a complaint against the agency served Tiversa with a
subpoena for documents related to the matter. Among other categories of documents, the
subpoena requested ?all documents related to In a transcribed interview, Alain Sheer,

 

H. Comm. on Oversight Gov?t Reform, Transcribed Interview of Robert Boback, Chief Executive Of?cer,
Tiversa, Inc., Transcript at 42 (June 5, 2014) [hereinafter Boback Tr].
2 See Tiversa, Industry Outlook, Government/Law Enforcement, available at 
(last visited Nov. 21, 2014); Boback Tr. at 42-43.
3 Fed. Trade Comm?n, Subpoena to Tiversa Holding Corp. (Sept. 30, 2013) [hereinafter Tiversa FTC Subpoena].

The Honorable Edith Ramirez
December 1, 2014
Page 2

an attorney with the Bureau of Consumer Protection, told the Committee that the FTC did
not narrow the subpoena for Tiversa. Sheer stated:

This is the speci?cations requested of Tiversa. No. 4 requests all documents
related to Do you know if Tiversa produced all documents related to


A 1 am not sure what your question is.

Let me ask it a different way. Was the subpoena narrowed in any way for
Tiversa?

A Not that I am aware of.4

In total, Tiversa produced 8,669 pages of documents in response to the subpoena.
Notably, the production contained ?ve copies of the 1,718?page Insurance Aging ?le
that Tiversa claimed to have found on peer-to-peer networks and only 79 pages of other
materials, none of which materially substantiated Tiversa?s claims about the discovery of the ?le.

The information Tiversa gave the FTC included the IP address from which Tiversa CEO
Robeit Boback has claimed the company ?rst downloaded the ?le, as well as other IP
addresses that Tiversa claims also downloaded the ?le. The origin of the IP address from which
Tiversa ?rst downloaded the ?le was in dispute in other litigation between and
Tiversa. On numerous occasions, including before the FTC, Boback maintained that Tiversa

?rst downloaded the ?le from an IP address in San Diego, California. Boback stated:
What is the signi?cance ofthe IP address, which is 68.107.85.250?
A That would be the IP address that we downloaded the ?le from, I believe.
Going back to CX 21. Is this the initial disclosure source?
A If 1 know that our initial disclosure source believed that that was it, yes. I don't
remember the number Speci?cally, but if that IP address resolves to San Diego,
California, then, yes, that is the original disclosure source.

When did Tiversa download [the 

A I believe it was in February of 2008.5

 

4 H. Comm. on Oversight Gov?t Reform, Transcribed Interview of Alain Sheer, Fed. Trade Comm?n, Transcript at
147 (Oct. 9, 2014).

5 In the matter of lnc., Deposition of Robert J. Boback, CEO, iversa, transcript at 24-25 (Nov. 21, 2013)
[hereinafter Boback Nov. 2013 FTC 

The Honorable Edith Ramirez
December 1, 2014

Page 3

Boback also testified that Tiversa performed an investigation into the ?le at the request
of a client.6 In the course of this investigation, Tiversa concluded that an IP address in Atlanta,
Georgia, where was headquartered, was the initial disclosure source of the document.

Boback stated:





There is an IP address on the right?hand side, it is 64.190.82.42. What is that?
That, if I recall, is an IP address that resolves to Atlanta, Georgia.

Is that the initial disclosure source?

We believe that it is the initial disclosure source, yes.

And what is that based on?

The fact that the ?le, the 1,718 ?le, when we searched by hash back in that time
for our client, we received a response back from 64.190.82.42 suggesting that
they had the same file hash as the file that we searched for. We did not download

the ?le from them.
=14

So, I think you are telling me that chronologically this was the ?rst other location
for that file in juxtaposition of when you found the file at 68.107.85.250?

We know that the ?le in early February, prior to this February 25 date, was
downloaded from the 68.107.85.250. Upon a search to determine other locations
of the ?le across the network, it appears that on 2/25/2008 we had a hash match
search at 64.190.82.42, which resolved to Atlanta, which led us to believe that
without further investigation, that this is most likely the initial disclosing source.

What other information do you have about 64.190.82.42?

1 have no other information. I never downloaded the ?le from them. They only
responded to the hash match.7

Boback?s testimony before the FTC in November 2013 made clear that Tiversa ?rst downloaded
the ?le from an IP address in San Diego, California, in February 2008, that it only
identi?ed as the disclosing source after performing an investigation requested by a
client, and that it never downloaded the ?le from 

 

6 Boback Nov. 2013 FTC Tr. at 72-73 (?In 2008, when working for another client, we were attempting to identify
the original disclosure source of the ?le that we discovered from 1 the San Diego IP address?).
7 Boback Nov. 2013 FTC Tr. at 41.

The Honorable Edith Ramirez
December 1, 2014
Page 4

Tiversa withheld responsive documents from the FTC. despite the issuance of the
September 2013 subpoena. These documents contradict the account Boback provided to
the FTC.

On June 3, 2014, the Committee issued a subpoena to Tiversa requesting, among other
information, ?[a]ll documents and communications referring or relating to Inc.?8 This
request was very similar to the request for ?all documents related to Despite
nearly identical requests from the FTC and the Committee to Tiversa, Tiversa produced
numerous documents to the Committee that it does not appear to have produced to the FTC.
Infonnation contained in the documents Tiversa apparently withheld contradicts documents and
testimony Tiversa did provide to the FTC.

An internal Tiversa document entitled ?Incident Record Form,? dated April 18, 2008,
appears to be the earliest reference to the ?le in Tiversa?s production to the
Committee.10 This document states that on April 18, 2008, Tiversa detected a ?le ?disclosed by
what appears to be a potential provider of services for The Incident Record
described the document as a ?single Portable Document Format (PDF) that contain[ed] sensitive
data on over 8,300 patients,? and explained that ?[a]fter reviewing the IP address, resolution
results, meta-data and other ?les, Tiversa believes it is likely that Lab MD near Atlanta, Georgi_a
is the disclosing source.?12 The name of the ?le was which is
the same name as the ?le in question in the FTC proceeding. According to the Incident Record,
the IP address disclosing the file was 64.190.82.42?later con?rmed to be a IP
address. 13 Upon learning about the ?le, CIGNA, a Tiversa client, ?asked Tiversa to perform
Forensic Investigation activities? on the insurance aging ?le to determine the extent of
proliferation of the ?le over peer-to-peer networks.14

An August 2008 Forensic Investigation Report provided the analysis CIGNA requested.
This report identi?ed IP address 64.190.82.42?the Atlanta IP address?as proliferation point
zero, and the ?original source? of the Incident Record Form.15 A spread analysis included in the
August 2008 forensic report stated that the ?le had been ?observed by Tiversa at additional IP
addresses? but made clear that Tiversa had not downloaded the ?le from either additional source
because of ?network constraint and/or user behavior.?16 Thus, according to this report, Tiversa
had only downloaded the ?le from one source in Atlanta, Georgia by August 2008. This
contradicts Boback?s testimony that Tiversa ?rst downloaded the ?le from an IP address

 

3 H. Comm. on Oversight Gov?t Reform, Subpoena to Robert Boback, Chief Exec. Of?cer, Tiversa, Inc. (June 3,
2014).
9 Tiversa FTC Subpoena.
'0 Tiversa Incident Record Form, ID (Apr. 18, 2008).
1
Id.
'2 Id. (emphasis added).
'3 Id.
?4 Tiversa, Forensic Investigation Report for Ticket (Aug. 12,2008). This letter uses the phrase
?forensic report? to describe this and a second report created by Tiversa about the ?le because that is the
title used by Tiversa. It is not clear what, if any, forensic capabilities Tiversa possesses.
15
1d.
16 

The Honorable Edith Ramirez
December 1, 2014
Page 5

in San Diego, California. If Tiversa had in fact downloaded the ?le from a San Diego IP
address in February 2008, then that fact should be included in this 2008 forensic report. It is not.

One of the two additional IP addresses is located in San Diego, California. It is a
different LP address, however, than the one from which Tiversa claims to have originally
downloaded the ?le. 17 Further, Tiversa did not observe that this San Diego IP address possessed
the ?le until August 5, 2008.18 Thus, according to this report, Tiversa did not observe
San Diego IP address in possession of the ?le until August 2008. Again, the report
stands in stark contrast to Boback?s testimony that Tiversa ?rst downloaded the ?le
from a different San Diego IP address in February 2008.

In addition, both the April 2008 Incident Record Form and the August 2008 Forensic
Investigative Report stated that the ?le was ?detected being disclosed? in April 2008.
Neither report indicated that Tiversa ?rst downloaded the ?le from the San Diego IP address?
an IP address not listed on either report?on February 5, 2008. Boback?s deposition testimony
and a cursory four-line document marked as exhibit seem to be the only evidence that
Tiversa ?rst downloaded the ?le from a San Diego IP address in February 2008.

These documents contradict the information Tiversa provided to the FTC about the
source and spread of the ?le. If Tiversa had, in fact, downloaded the ?le from
the San Diego IP address and not from the Georgia IP address, then these reports should indicate
as such. Instead, the San Diego IP address is nowhere to be found, and the Georgia IP address
appears as the initial disclosing source on both reports.

Tiversa also produced an e-mail indicating that it originally downloaded the ?le
from Georgia and not from San Diego as it has steadfastly maintained to the FTC and this
Committee. On September 5, 2013, Boback e?mailed Dan Kopchak and Molly Trunzo, both
Tiversa employees, with a detailed summary of Tiversa?s involvement with Why
Boback drafted the e-mail is unclear. He wrote, 2008, while doing work for a client, our
systems downloaded a ?le (1,718 page pdf) that contained sensitive information including SSNs
and health information for over 9000 people. The ?le had the name in both the header
of the ?le and the metadata. The of the download was found to be in Georgia, which after a
Google search, is where we found LabMD?s of?ce to be located.?19

As noted above, according to Alain Sheer, a senior FTC attorney assigned to the 
matter, the FTC did not narrow the September 2013 subpoena requiring Tiversa to produce,
among other documents, ?all documents related to Tiversa withheld these relevant

 

?7 The IP address reported on the August 2008 forensic report that resolves to San Diego, California is 688250.203.
Boback testi?ed, however, that Tiversa ?rst downloaded the ?le from IP address 68.107.85.250 on
February 5, 2008. Tiversa concluded in the report that the second IP address on which it observed the ?le was
?l?gnost likely an IP shift from the original disclosing source.?

Id.
'9 E-mail from Robert Boback, CEO, Tiversa, to Dan Kopchak Molly Trunzo (Sept. 5, 2013) (emphasis added)

2? Tiversa FTC Subpoena.

The Honorable Edith Ramirez
December 1, 2014
Page 6

documents about its discovery and early forensic analysis of the ?le from the FTC.
These documents directly contradict testimony that Boback provided to the FTC, and call
Tiversa?s credibility into question. Boback has not adequately explained why his company
withheld documents, and why his testimony is not consistent with reports Tiversa created at the
time it discovered the ?le.

It is unlikely that the ?le analyzed in the April 2008 Incident Record Form and
the August 2008 Forensic Investigative Report is different from the so?called ?1718 ?le? at issue
in the FTC proceeding, particularly given Boback?s testimony to the FTC about how Tiversa?s
system names ?les.21 If, however, the earlier reports do refer to a different ?le, then Tiversa
neglected to inform the FTC of a second, similarly sized leak of patient information.

Tiversa?s June 2014 forensic report is the only report provided to this Committee that
substantiates Boback?s claims.

Tiversa produced to the Committee a forensic report on the ?le that it created in

June 2014. Tiversa created this report and others related to testimony previously provided to the
Committee after the investigation began. While outside the scope of the subpoena due to
the date of the document, this is the only report supporting Tiversa?s claim that it ?rst
downloaded the ?le from the San Diego IP address. This report contradicts information Tiversa
provided to CIGNA in the April 2008 Incident Record Form and August 2008 Forensic
Investigative Report?documents created much closer to when Tiversa purportedly discovered
the document on a peer-to-peer network. The fact that Tiversa created the only forensic
report substantiating its version of events after the Committee began its investigation raises
serious questions.

This most recent report states that Tiversa?s systems ?rst detected the ?le on February 5,
2008, from a San Diego IP address (68.107.85.250) not included in either of the 2008
documents. According to the Spread analysis, this San Diego 1P shared the ?le from February 5,
2008, until September 20, 2011. Yet, despite allegedly being downloaded before both the April
or August 2008 reports, neither 2008 document mentions that Tiversa downloaded this
document.

The June 2014 report also states that the IP address (64.190.82.42) shared the ?le
between March 7,2007, and February 25, 2008. Thus, according to this report, by the time
Tiversa submitted an Incident Record Form to CIGNA in April 2008, the IP address was
no longer sharing the ?le. Furthermore, the report does not describe why Tiversa?s system did
not download the ?le from the Georgia IP address, even though the technology should have
downloaded a ?le that hit on a search term, in this case each time a different
computer shared the document. The June 2014 report includes no reference to the other San

Diego IP address discussed in the August 2008 forensic report as being in possession of the
?le.

 

21 Boback Nov. 2013 FTC Tr. at 40-41 (describing that a ?le?s ?hash? or title identi?es ?exactly what that ?le is.?
The title of the document described in the April and August 2008 documents is the same as the title of the
document in the FTC proceeding).

The Honorable Edith Ramirez
December 1, 2014
Page 7

Tiversa did not make a full and complete production of documents to this Committee. It is
likely that Tiversa withheld additional documents from both this Committee and the FTC.

On October 14, 2014, Tiversa submitted a Notice of Information Pertinent to Richard
Edward Wallace?s Request for Immunity.22 Chief Administrative Law Judge D. Michael
Chappell has since ordered that the assertions and documents contained in the Notice of
Information will be ?disregarded and will not be considered for any purpose.?23 Tiversa
included two e-mails from 2012 as exhibits to the Notice of Information. According to Tiversa,
these e?mails demonstrate that Wallace could not have fabricated the IP addresses in question in
October 2013, because he previously included many of them in e-mails to himself and Boback a
year prior.

Tiversa did not produce these documents to the Committee even though they are clearly
responsive to the Committee?s subpoena. Their inclusion in a submission in the FTC proceeding
strongly suggests that Tiversa also never produced these documents to the FTC. In its Notice of
Information, Tiversa did not explain how and when it identified these documents, why it did not
produce them immediately upon discovery, and what additional documents it has withheld from
both the FTC and the Committee. The e-mails also contain little substantive information and do
not explain what exactly Wallace conveyed to Boback in November 2012 or why he conveyed it.

If Boback did in fact receive this information in November 2012, his June 2013
deposition testimony is questionable. It is surprising that Tiversa would have supplied inaccurate
information to the'FTC when Boback himself apparently received different information just
months prior. Tiversa should have located and produced these e-mails pursuant to the September
2013 subpoena, and it should have been available for Boback?s June 2013 deposition.

Tiversa?s failure to produce numerous relevant documents to the Commission
demonstrates a lack of good faith in the manner in which the company has responded to
subpoenas from both the FTC and the Committee. It also calls into question Tiversa?s credibility
as a source of information for the FTC. The fact remains that withheld documents
contemporaneous with Tiversa?s discovery of the file directly contradict the testimony
and documents Tiversa did provide. In the Committee?s estimation, the FTC should no longer
consider Tiversa to be a cooperating witness. Should the FTC request any further documents
from Tiversa, the Commission should take all possible steps to ensure that Tiversa does not
withhold additional documents relevant to the proceeding.

 

22 Tiversa Holding Corp.?s Notice of Information Pertinent to Richard Edward Wallace?s Request For Immunity, In
the Matter of Lab MD, 1110., No. 9357 (US. Fed. Trade Comm?n, Oct. 14, 2014),
[hereinafter Notice of Information].

23 Case: FTC gets green light to grant former Tiversa employee immunity in data security case,
PHIprivacy.net, Nov. 19, 2014, 


2? Notice of Information at 4.

The Honorable Edith Ramirez
December 1, 2014
Page 8

have enclosed the documents discussed herein with this letter, so that your staff may
examine them. All documents are provided in the same form in which Tiversa produced them to
the Committee.

The Committee on Oversight and Government Reform is the principal oversight
committee of the House of Representatives and may at ?any time? investigate ?any matter? as set
forth in House Rule X. If you have any questions, please contact the Committee staff at (202)
225 -5 074. Thank you for your prompt attention to this matter.

 

Darrell Issa
Chairman

Enclosures

cc: The Honorable Elijah E. Cummings, Ranking Minority Member
Ms. Kelly Tshibaka, Acting Inspector General, U.S. Federal Trade Commission

Ms. Laura Riposo VanDruff, Complaint Counsel, U.S. Federal Trade Commission

H) 

TI ERSA-

INVESTIGATION REQUEST FORM

Section 1 Customer Information

 

 

 

 

 

 

Organization Name CIGNA

Contact Name Sean Ryan

Contact Phone Number (860) 226-7107
Contact Email Address sean.ryan@cigna.com

 

Section 2 Incident lnfonnation

Tiversa Incident Number CIG00081
Date of Incident 4/18/2008

 

 

 

 

 

Section 3 Requeste Forensic Services

 

File Disclosure Investigation Search Investigation
1. Disclosure Source Identi?cation 12. Review Stored Searches For File Targeting
2. Disclosure Source Geo-location 13. Track Searches for Speci?c File or Tenn
3. Identify Additional Disclosure Source Files
4. File Proliferation Assessment

5. Proliferation Point Identi?cation
6. Proliferation Point Geo?location
7. Proliferation Point Associated Files

 

Persons of Interest (POI) Miscellaneous
8. Identify Persons of Interest 14. ProsccuLion Support (Complete Section 4)
9. Track Specific Behavior of Persons of Interest 15. Other (Complete Section 4)
to. Identify Files Associated with Persons of
Interest
1. Track Persons of Interest Download
Behavior

 

 

Section 4 Specific Information Related to Request

 

 

 

(fl I?llig'l?thT'l'lil)

(?An?rloni-inl :nr (?nmmiH-ao and I loo nnlu THICDQA MOD 7/1Rn

ID litilf?itithi?y?l

TI ERSA-

INCIDENT RECORD FORM

Section 1 Customer Information

 

 

 

 

 

 

Organization Name CIGNA

Contact Name Sean Ryan

Contact Phone Number (860) 226-7107
Centact Email Address sean.1yan@ci gna.com

 

Section 2 Incident lnfonnation
CIG00081

 

 

 

 

Tiversa Incident Number

Related Tiversa Incident None
Numbers

Date of Incident 4/18/2008
Severity Urgent

 

 

 

Section 3 Disclosure Information

 

 

 

 

 

 

IP Address 64.190.82.42

Disclosure Type Partner Provider

Summary Disclosune LAB MD

Name/[D

Filenames [64. l.de

 

 

Section 4 Incident Summary
On 4/18/2008, 1 ?le was detected being disclosed by what appears to be a potential provider of services for
CIGNA.

The information. appears to be a single Portable Document Format (PDF) ?le that contains sensitive data on
over 8,300 patients. Some of the information includes: Patients Full Name, SSN, DOB, Insurance Policy
Numbers, Patient Diagnostic Codes, and other information. Of the 8,342 patient records, at least 113
appear to be listed as insured by CIGNA.

After reviewing the IP address resolution results. meta?data and other ?les, iversa believes it is likely that
Lab MD near Atlanta, Georgia is the disclosing source.

 

 

 

(fl 

(?An?rloni-inl :nr (?nmmiH-ao and I loo nniu THICDQA MOD 7/1 EQ

ll) litilfiitltill?y?l

Section 5 Additional Questions That Tiversa Can Address
More information can be gathered related to this disclosure by leveraging Tiversa?s P2P File Sharing
Forensic Investigation Services. if requested, please ?ll out the Investigation Request form located below
and submit to your Account Manager.

 

Who is the individual disclosing the information?
Select investigation services #1 and #3

What else is this individual sharing or disclosing?
Select investigation service #3

Where is this indi?dual located in the world?
Select investigation service #2

Did the ?les Spread to other users of the network?

Select investigation services #4

 

 

 

(fl 

(?An?rloni-inl :Ar (?nmmiH-ao and loo nnlu MOD 7/1 KO

TIVERSAW

I Forensic [12 ves?ga 0'01] Report for Ticket #6160008]

August 12, 2008

LUK 1' I HF I 

 

1. Introduction

Tiversa monitors peer-to-peer file sharing networks (P2P) for CIGNA 24/7/365 to
identify disclosed sensitive or con?dential CIGNA-related information and to record
P2P users searching for this information. For each file disclosure, Tiversa provides
a disclosure ticket to CIGNA. Each ticket includes the name of the file(s) disclosed,
iP on which the ?les were obtained, the likely source ofthe disclosure, and copies of
the disclosed files. in some cases, more information is required in order to decide
what actions to take or to determine ifremedial actions have worked. in these
instances, Forensic investigation Services are required.

This Forensic investigation Report (FIR) summarizes the results and suggested
actions ofTiversa?s Forensic investigation Services for Ticket as
requested by CIGNA.

a . lawgz", 
1.



The specifics of this ticket as reported were as follows:
I Date Submitted: 4/18/2008
I Disclosing iP Location: 64.190.82.42
I Number ofFiles Disclosed: 1 CIGNA file (19 total files)
I Probable Disclosure Source: Partner/Provider
I Probable Disclosure Name/1D: Lab MD
I Severity: Urgent

Ticket Write-up Copy:
On 4/18/2008, I file was detected being disclosed by Whatappears to be a
poten tial provider of services for CIGNA.

The information appears to be a single Portable DocumentFormat (PDF) file
that contains sensitive data on over 8,300 pa tients. Some of the information
includes: Patients Full Name, SSN, DOE lnsuran ce Policy Numbers, Patient
Diagnostic Codes, and other information. 0f the 8,342 patientrecords, at
least 113 appear to be listed as insured by CIGNA,

After re Vie Wing the IP address resolution results, meta-data and other files,
iversa believes it is likely that Lab MD nearAtlan ta, Georgia is the disclosing
source.

CIGNA asked Tiversa to perform Forensic investigation activities related to the

above ticket in order to ascertain if any ofthe disclosed files have proliferated
across the P2P.

2. Investigation Findings

ii: 7f "if  Li

Pnn??nanl :Ar anmiH-Ag ant-l I Ion nnlu ADD nn47/1a')

The CIGNA?related file identified in Ticket #81, as well as some of the files not
related to CIGNA, have been observed by Tiversa at additional IP addresses on the
P2P. However, network constraints and/or user behavior prevented Tiversa from
downloading the files from these additional sources. Most likely, the user logged off
the P2P prior to or while Tiversa was attempting to acquire the files.

Regardless, information regarding these new observations is included in Figure 2-1-
1 immediately below.

 

 

 

?gure 2-1-1:
?le Proliferation Details
Proliferation IP Date 
Point ?le Title Address Observed Location ISP
insuranceaging_6.05.0 Cypress Original Source from
71.pdf 64.190.82.42 4/18/08 Atlanta, GA Communications Ticket #81
insuranceaging_6.05.0 Oakwood, Cypress Probably an IP shift of
1 71.pdf 64.190.79.36 8/1/08 GA Communications original source
Unknown (based on
other files observed,
insuranceaging_6.05.0 San Diego, Cox possible Information
2 71.pdf 688250.203 8/5/08 CA Communications Concentrator)

 

 

 

 

 

 

 

Pnn??nanl

Based on the other ?les available at the new IP addresses, Proliferation Point #1
(from Figure 2-1-1 above) is most likely an IP shift from the original disclosing
source identified in Ticket #81. However, the other files present at Proliferation
Point #2 suggest that this source could be an Information Concentrator. Because
Tiversa were only able to visually observe these new sources, rather than
actually download ?les, further data collection and analysis may be required for full
source identification of the proliferation points.

-- - . -: hi-   

Tiversa is currently attempting to re-acquire these sources and download any
relevant files from them.

3. Conclusions! Suggested Actions

It appears evident that the files from Ticket #81 have proliferated across the P2P
and are available from additional IP addresses. However, clear identification of
these new sources is not conclusive at this time. Tiversa will update this report as
new information becomes available.

. 

:Ar anmiH-Ag ant-l I Ion nnlu

TRIEDQA nn47/1ao

In the meantime, CIGNA and/or investigations ofthe data currently available
could be executed. Ifadditional data from Tiversa is required, it can be provided --
for instance, a full listing offiles disclosed from the original source (even ifthose
?les are not related to CIGNA) can be made available.

"fixer-2:2 X: CEGNA {720:1 fiifi'cat?cai i}:th 

Pnn??on?nl :Al? anmiH-Ag ant-l I loo nnlu ADD nn47/1a/1

 

TIVERSA

2000 Corporate Drive, Suite 300 724 940-9030
chford, 15090 724 940-9033



 

From: Robert Boback <rboback@tivcrsa.com>

Sent: Thursday, September 5, 2013 3:20 PM
To: Dan Kepchak <dk0pchakrf1?1iversacomz Molly Trunzo 
Subject: TiverSa

 

I wanted to provide updated information regarding the question of litigation involving Tiversa. During our call, I discussed litigation in which Tiversa is a pla
against our former patent firm. That is still ongoing. Earlier in 2013, Tiversa was also engaged in a separate litigation with a company called which is base
in Georgia. Tiversa, Dartmouth College and Professor Eric Johnson (Tuck Business School) was sued by by its CEO, Michael Daugherty as he alleged that
Tiversa ?hacked? his company in an effort to get a file containing nearly 9,000 patients SSNs and medical information and provided the information to Dartmouth
and Eric Johnson for a DHS-funded research project. Mr. Daugherty has little to no understanding of P2P or Information security which is what caused him to think
that he was "hacked" and which resulted in his widespread government conspiracy theory that followed. He also suggested in the litigation that because he 
not do business with Tiversa to remediate the problem, that Tiversa ?kicked the file over to the feds (and Dartmouth) and the FTC sent him a questionnaire
about the breach, which caused him "great harm? due to the widespread "government shakedown of small business." He claimed that Tiversa was attempting to
extort money from him to "answer his questions? as a part of the larger conspiracy. The reason that I did not mention this during our discussion is that the case was
dismissed due tojurisdiction (his real estate attorney friend ?led it in Georgia). He subsequently appealed two times, and lost both, the ?nal of which was ruled
on in February 2013. As an interesting sidebar to this story, Mr. Daugherty began writing a book about the government overreach and his great conspiracy theory 0
the government war on small business. When our attorneys learned of what was coming in the book (from his blog postings about the book), we quickly served
his counsel with a as his "true story? was full of inaccurate statements about me and Tiversa. Unfortunately, Mr. Daugherty sees himself as "Batman" (no joke)
and he chose to continue on with his book and starting scheduling speaking engagements where he would discuss his "true story" about how the government is

out to "get" small business and that the FTC and Tiversa (and presumably Dartmouth) are the ring leaders. His book, "Devil inside the Beltway? is to be released
later this month. While I do not expect this book to be on the best seller list, I cannot sit idly by and allow such a gross distortion of the facts and
mischaracterization of Tiversa, and me, in his effOrts to sell his book and create a "name" for himself on any speaking t0ur.

That said, Tiversa filed a complaint in federal court today citing a number of counts including but not limited to Defamation, Slander, Libel, and others against Mr.
Daugherty and Tiversa is not litigious and it was our hope that he would conduct himself appropriately after receiving the GED in November of 2012. But
again, he sees himself as Batman.

Here is the real series of events that occurred in this case:

Tiversa, as you know, downloads leaked information on behalf of clients, individual, corporate and/or federal. In the process of downloading information, we
often get ?les that are not related to our clients but are nonetheless sensitive. We call this?dolphin in the tuna example, if we were looking for
"Goldman Sachs" and our system finds a file with the term "Goldman" in it. The file may have the name "Henry Goldman" but our system just saw "Goldman" and
downloaded it, in the event it related to Goldman Sachs. After the ?le would be downloaded, it would be reviewed by an Analyst which would determine that it
was NOT related to Goldman Sachs, but it may or may not include SSNs or other sensitive information. This was the case with 

In 2008, while doing work for a client, our systems downloaded a file (1,718 page pdf) that contained sensitive information including SSNs and health information

for over 9000 people. The ?le had the name in both the header of the ?le and the metadata. The IP of the download was found to be in Georgia, which
after a Google search, is where we found LabMD's of?ce to be located. At this point, we were not positive that the ?le belonged to LabM D, but it seemed
probable. We could have chosen to do nothing at all and pretend that we never saw the ?le. That approach would leave both and the 9000 victims at very
high risk (and growing) of fraud and identity theft. Needless to say, we contacted the company to inform them of the ?le with their company name on it. After
providing the ?le with all of the information that we had, the Mr. Daugherty asked us for additional information that we did not have. We told him that we could
perform the services but it would take a few weeks and would cost about After hearing this, he asked us to send him the SOW for the services. J8 weeks
after providing the SOW and not hearing anything in return, I reached out to Mr. Daugherty to see if he had any questions (re: 50W) and he told me never to

contact him again with no further explanation. We didlt.

Tuck Business School at Dartmouth (and Professor Eric Johnson) used Tiversa in early 2006 for a research project to determine to what extent, if any, leaked
?nancial documents were able to found on P2P networks. The research consisted of Dartmouth providing simple and straightforward search terms to Tiversa like
"bank?and "account" to locate and download files using Tiversa's engine to a hard drive that Dartmouth owned and controlled. Tiversa only issued the searches
but was not able to see the actual downloads. The downloads were stored on a hard drive that graduate students at Dartmouth were to later evaluate. Although
Dartmouth was researching this using resources from a grant by DHS, Tiversa was not paid anything for our participation. The research was impactful and resultec
in a number of articles being published. With the prior success of the ?nancial research, Dartmouth wanted to followup with a second research project focused
on medical information in 2003. Following the exact same procedure, the medical research was completed and widely published in early 2009. Again, Tiversa did
not receive any compensation whatsoever for our part in the project. Upon reading the research paper, one of the many example ?les that were used to
demonstrate the problem was the ?le in question with Tiversa did not know that the file was included in the research as we did not see the downloads,
only the search terms. Frankly, it was not surprising that the ?le was found because it was never addressed with therefore the ?le continued to spread
across the P2P network.

I was called to testify before Congress twice in 2009, once in May and the second in July, as they were investigating breaches of security via P2P. At the directior
Congress, Tiversa was asked to demonstrate the extent and severity of the problem. Tiversa then provided Congress with numerous, redacted, examples of ?le
disclosure that affected government, private and public enterprises, and individuals. Shortly after the hearings, Tiversa was visited by the FTC. The senior
representatives from the FTC wanted to see the non-redacted versions of the files discussed with Congress as one of their missions is to help consumers handle ID
theft. When Tiversa asked what would happen if we refused to provide the information, the FTC stated that they would issue a Civil Investigative Demand (CID
which acts as a federal subpoena to gain access to the information. We told them that they would need to do that and then we would provide the information in
accordance with the subpoena. The FTC issued a subpoena that asked us to prOvide any ?le, regardless of source, that disclosed >100 SSNs. We provided over 100
?les to the FTC in accordance with the federal subpoena and the ?le was still one of them as it remained on the P2P network. We had no insight/control as
to what the FTC was going to do with the information once they received it. Tiversa was not compensated in any way for providing this information to the FTC.

Apparently, the FTC sent questionnaires to some, if not all, of the companies or organizations that breached the sensitive information. The FTC posted on its
website a copy of a standard letter(s) that was sent, which is how we knew that they had sent a letter or letters. We had no further communication with the FTI

regarding the breaches or their investigations.

sued Tiversa/Dartmouth/Eric Johnson. Case was dismissed (all three times) forjurisdiction issues.

(?Anfirlonl-inl :nr and Ion nnlu TRIEDQA (NOD {\anan

Mr. Daugherty starts writing his book about his problems and blames everyone but himself and his lax security measures at He refuses to provide any
information to the FTC questionnaire saying it?s a ?witch hunt.?

To this date, I have not heard of Mr. Daugherty spending a single penny in notification or protection of ANY of the over 9000 cancer/medical patients in which he
violated their privacy and well established HIPAA laws. He sees himself as the ?victim? when he is actually the perpetrator. He intends to capitalize on his "victim"
status by becoming ?Batman? on a crusade for all Americans against government overreach.

The FTC sued Mr. Daugherty and last week for his non-compliance with a federal subpoena (CID). In the FTC complaint, it noted that over 500 people [of the
9000 in the file] have become victims of ID theft and fraud according to a Sacramento, CA Police Department investigation. I would suppose that multip
states AG's offices could pursue litigation against and Mr. Daugherty as well for not notifying the individuals (that reside in the various states) that their
information had been breached. it is a requirement in 47 of the 50 states. I also only suppose that it is matter of time before there will be a class action suit ?le
against and Mr. Daugherty for the continued reckless breach of patient information.

Mr. Daugherty continues to hype his book, even going as far to have a cheesy trailer made about the book which is full of false statements regarding Tiversa and
me. He continues to suggest that Tiversa iS?government funded? which we are not, and never have been. Tiversa has only received one round of funding in 2006

by Adams Capital Management.

In my opinion, he needs to draw some connection between Tiversa, "hacking" and the government in an effort to sell his book and, more importantly, claim that
he was not required to compensate the 9000 true victims of this story.

Tiversa filed a Defamation suit against and Mr. Daugherty in federal court on September 5, 2013.

Essentially, 'l?iversa was trying to help the 9000 people by informing that there was a problem. Unfortunately, took th??shoot/sue the messenger?
approach.

(?AnFiHQHf-inl :Ar (?Ammiil'il'on and I loo nnlu TRIEDQA (NOD nanQR7

    

RSA.

Farensic Investigation Report - 

Prepared for 

ivers  bin-I'D Confid Con?dential - For Committee and Staff Use Only TIVERSA-OGR-0017467

1.0 Introduction

Worldwide Peer-to-Peer ?le sharing networks are primarilyused for sharing music, movies, and
software. Unfortunately, they also commonlyexpose con?dential and sensitive government, corporate and
consumerdocuments. Em pioyees, suppliers, contractors,agents, partners, and customers inadvertently
disclose millions ofcon?dential and sensitive documents on the P2P ?le sharing networks each year.

Once disclosed, these documents are publiciyavailable to any individual using one ofthe 2,800+ different
P2P ?le sharing programs and versions, mostofwhich are free and publiclyavaiiable. Disclosed files are

routinely accessed byidentitythieves, cyber criminals,terrorists, competitorsme media, shareholders, and
others.

It must be emphasized that P2P ?le sharing networks are not part of the World Wide Web. P2P file sharing
networks are entirely separate, internet-based networks with unique searches, files, and users. P2P
networks are extremely large. In fact, more users search the P2P for information than the World Wde Web,
with over 1.8 billion search esa day occurring on the P2P networks It is also estimated that over 550 million
users have ?le sharing applications, and internetservice providers have stated that up to 70% of internet
traf?c is consumed solelyby P2P networks.

The risks related to P2P compromiseswillonly escalate as P2P use continues to grow driven by increased
broadband access, the explosion ofdigital content, and increasing numbers oftech-sawy individuals
entering the workforce. From a data and information securitystandpoint, P2P compromises are among the
mostdamaging since users hare hundreds ofdocuments, sometimes every?le residenton
their machine, including Word, Excel, PowerPoint, PDF, e-mails, databases, and PST ?les. Once these
documents ares hared or exposed to the millions of P2P users, they tend to ?virally spread" across the
networks as users these filesfrom each otherand thereafter prowed to re-share
these ?les themselves.

Tiversa?s uniq uevalue is in its patented EagieVision X1 technologywhich canview and access the P2Pin
real-time. Similarto how Google has indexed the World Viide Web, Tiversa has ucentralized? the notoriously
"decentralized" P2P file sharing networks. As such, Tiversa has the abilityto detect and record user-issued
P2P searches,aocessand download files available on the P2P networks, determine the actual disclosure
source of documents, trackthe spread of ?les across the entire P2P networks, and remediate P2P ?le
disclosures. 

This Forensic investigation Reportsummarizes the results and suggested actions ofTiversa?s Fore nsio
Investigation Services for Incident 

 

Con?dential - For Committee and Staff Use Only 

SECTION 1 - Customer information

Organization Name 

Contact Name 

Contact Phone 

Contact Email 
1
Incident Number LABMD0001

Related Incidents 
Date of Report - 6/4/2014

Severity URGENT

IP Address I 64.190.82.42 

P2P Client 

Disclosure Type internal

Disclosure Source 

Filename(s) 

SECTION 4 - incident Summary

On 2/5/2008, Tiversa?s systems detected 1 file being disclosed on P2P?le sharing networks. The detected ?le
appears to be a 1,718 page ?Insurance Aging? Reportrelatjng to The ?le contains
patient information including Name, Social Security/Number, DOB, insurance Information, Billing Date 
Billed Amountetc., relating to approximately 9,000 apparentpatients.

The file appears to be emanating from the IP Address 64.1 9082.42, which traces to Atlanta, Georgia, US.

. Upon further analysis, 19 total ?les were detected being disclosed from this lPaddress on various dates between
3/7/2007 and 2/25/2008, The additional ?les include Insurance Bene?ts labels, Lablle login credentials (username

and passwords) relating to web access for insurance companies, Insurance Verification 
blankforms relating to daily credit card transactions, Medical Records Request letters, La Patient
Appeal Authorization letters, PaymentPosting Specialist Duties, a Employee Handbook, La 
Em pioyee Time Off Requestforms, documents 00ntaining meeting notes and other related letters.

Upon reviewing the metadata and tiles emanating from this source, Tiversa believes the disclosure source may be
an individualemployedwith LablViDi

Con?dential - For Committee and Staff Use Only 7469

2.0 Investigation Findings

2,1 Source identification

The disclosure source appears to have emanated from IP address 64.190.82.42. As of 6/3/201 4 this IP
address is registered to (CYPRESS COMMUNICATIONS LLC), and appears to be
located in Atlanta, Georgia, US. For details relatedtothis IP address see Figure 2-1 -1 below.

Figure 2-1-1:

Disclosure Source iP Address; Geolacation

 

 

 

 

 

 

 

.WM 
{i iP Address 64.190.82.42 
Location  STATES. ATLANTA
Latitude 8. Longitude 33.831847. ?84.386614 
3 Connection CYPRESS LLC

Locai Tlme 03 Jun= 2014 05:41 PM (UTC ~04;00)
Domain CYPRESSCOMNET

 

 

 

 

 

 

Based on an initial investigation by Tiversa, the information found within the oontentand metadata of the
?les disclosed bythis source indicate thatthe disclosure source maybean individual employed with 

There were 19 total ?les disclosed bythis source.The file metadata (properljes) ofseveral of the documents
listauthoring Company as "labmd,"and contain the following common identifierswithin the ?le Author and
Last-Saved by ?elds:

Iwoodson

sbrown

Administrator

Dan Carmichael



Liz Fair

It is possible thatthese are user identi?ers, providing addiijonal evidence inthatthese users may have

created or edited the disclosed documents,and thatthe documents mayhave been created or edited on a
machine.See Figure 2-1-2 belowfor all?le information,

A 
Tax-?tr;  Lam-Jud  and: i i Licil 

i)


0.3
rm

Con?dential - For Committee and Staff Use Only 

Figure 2-1?2:

.  -.. a 4.1r 
i?tCsCEi :3 - . 



.8 7?

File Title Disclosure Date Last Saved by

INSU RANCE BEN EFITS 

WEB ACCESS FOR INSURANCE


Insurance Veri?cation Specialist
Dutiesdoc

HELPFULTIPS FOR BETTER AUDIT


DAILY CREDIT CARD 
MEDICAL RECORDS FEE LTR.doc
MEDICAL 
MEDICAL RECORDSREQ LTR.doc

PATIENT APPEAL AUTHORIZATION
LTR.doc

La blle Payment Posting Specialist
Dutiesdoc

Patient Locator Projectdoc

Humana patient Docdoc

Employee Handbbookdoc

Employee Application Benefits .pdf
Employee Time Off Requests2007.doc
insuranceaging_6.05.071.pdf

BCBS HMO POS APPEAL LTR.doc
BCBS PAID PT LTR.doc

Roz?s Coveragedoc

One ?le emanating from this source appears to be a letterfrom the following individual:

Rosa/ind Woodson
Billing Manager/LabMD
moodson@labmd. org

3/7/2007

3/7/2007

3/7/2007

3/15/2007

10/1 1/2007
11/1 012007
11/10/2007
11/10/2007

11/10/2007

11/10/2007

11/13/2007
11/13/2007
11/15/2007
11/15/2007
11/29/2007
2/5/2008
2/25/2008
2/25/2008

2/25/2008



labmd
labmd

labmd

labmd

labmd

labmd

labmd

Liz Fair

sbrown

sbrown

sbrown
Administrator
Administrator

Administrator

Administrator

brown

rwoodson
rwoodson

Dan Carmichael
a498584

nNoodson

Administrator
Administrator

rwoodson

sbrown

sb rown
brown

sbrown

sbrown
sbrown
sbrown

rwoodson

rwoodson

rwoods on

rwoodson

rwoodson

rwoodson

rwood50n

rwoodson

rwoodson

This individual appears to be employed with and may have utilized the ?rwoodson? user
identi?er as referenced within the metadata of the disclosed documents.



If .. r-   
-rdl ,r 

Con?dential For Committee and Staff Use Only



One of the additional ?les emanating from this source appears to be a Medical Records Request
letter from the following individual:

Sandra Brown

Billing Manager/LabMD
(678) 443-2338 Direct?


This individual appears to be employed with and may have utilized the ?sbrown? user
identi?er as referenced within the metadata of the disclosed documents.

Given these ?ndings, it is possible that Rosalind Woodson or Sandra Brown may have disclosed
the documents utilizing a P2P ?le sharing application from a work or home computer. It should be
noted that the 1,718 page ?Insurance Aging? Report (insuranceaging_6. 05.071. pdt) was detected
being disclosed on P2P ?le sharing networks on 2/5/2008. A total of 19 ?les were detected being
disclosed on P2P file sharing networks between 3/7/2007 - 2/25/2008 from the IP Address
6419018242.

Con?dential - For Committee and Staff Use Only 

See Figure2-1-3 belowfor a sample of redacted screenshots of the documents emanating from this source

Figure 2-1-3:
Insurance Aging 

 

LABMD

Report Options 
6/5/2007 

i
LABlle, INCORPORATED i


 
  
 
 
   
    

 

 

 

 

 

 

 

 

[Bption Value lt
Age From 506/05/2007 i
Shov??n??i?l6i7um gAll dates I   _m I 
?nsurance cede .. .. .  
..  ..  
@3an .    . .    . ..   
Subtotal by Billing {No

Subtotal by Provider x7e?? "w 

WW

 

 

LABMD, INCORPORATED
LABMD

HUMANA 0 BOX 14601. KY 40233 {502} 580-5050
JOSEF Dale of Birzh: lnsuaed: Self


U:
B??aing Daze Billed imam! Current 31-60 51-90 91-120 120 Total

 

 

Patieul T0135.

 

 

 

 

 

 

 

CLALIDETTE . Dale of Birth: lnswed. Self 
insurance-L Primer; NLszer? 
Billing Daze Email Amount Cw'rent 31-60 61-90 91?120 128 Tom 
z: I -
a Insurame Tomi: 
I mama 90 Box 7390. MADISON. Wl 5370? (30314013950 5
TOMMY Date 0! Bi:1.h: insured: Sell 
insurance: Sec-:noar; 13' 
Sling Date amen Armum CwTent 31450 51-90 91-120 :23 Tomi 
Patienzfom i 
i 
i -
3 1;

Pnnled 8352007 Page 1718 of i718 
4

Con?dential - For Committee and Staff Use Only 

Flgure 2-1-4:

Wmep-nwwm



 



 

THE IRENEAXCET BERVIEES COMPANY

1117 Perimeter Center ?Test, Suite Atlanta, GA 30338 (678) 443-2330A888) 968-8743 1? Fax {678) 443-2329

 

October 19, 2006

James

RE: Authorization to Appeal Insurance Denial

lnsured's Group 
Date of Service: 5/19/2006 Total Charge: $110.00
Dear Mr.

Blue Cross Blue Shield has denied our claim for your laboratory services due to non-network
participation.

[wigwast applied for an contract with prior to your date of gergcg however, it was not
approved m1th 1 2/ 19/ 2005. ?Your urologist, does nod have any knowledge of the

 



 

contra? between Mg and Blue Cross Blue Shield, as this contract deals Sp 3 Alma? .A?mmrw 
laboratory pathology services and fee schedules, so please direct all questions or (i I -
- 
Labk-ID.  ?96'  
'1 Company: .iabmd__ -
 Last saved by: m'oodson

 Revisionnumbef: 21
Total editing time: 747l??mutes

?w 

a  
Mel  agLe; Log 1 :14 en e:

Con?dential - For Committee and Staff Use Only 

Figure 2-1-5:

 

 



 

 

H4

?7 EB ACCESS FOR INCE 

 

BCBS Available)

USER NAIVIE: PASSWORD:

BCBS  (\mmv.southcarolinablues.com)
USER NAME: PASSWORD:

   
     

BCBS  
USER NAME: PASSWORD:

 

I - 
USER NAME: PASSWORD:   
Last saved by: strewn

Revision number: 4
Total editing lime: 20 Mznutes

3; Author:  

l?

BCBS GA 




3

 

 

 rs;  ?nl?D Cinr'e?i'lenl

Con?dential - For Committee and Staff Use Only 

Figure 2-1?6:

AHWM

 



I
welcome to LabN?), i H6277 dbOOk

 

i



Ihis Handbookis meantto give 3" de= geer excttin pea policies regarding employee
conduct and the basic employment relationship at It is important that you read and comprehend what is
included in these pages. While you are required to follow all policies as a requirement for employment in
good standing, nothing contained in this Handbook or any other document or statement to the employee shall limit
the right to terminate employment at will and in no way creates any employment contract between and the



employee


 Author: Dan Carmichael
i .

I  Manager:

4:  

Company: 

 Last saved by: rwoodson

i Revision number: 2

Total editing time: 1 Minute

we is; all- a  antic? trial 9 a 1. 

Con?dential For Committee and Staff Use Only 

Figure 2-1-7:

 

 

 

 



   
 
     

Payment Posting Specialist Duties

INSURANCE PAYMENT POSTING

1. Posting Specialist will post insurance payments (correlate with Explanation of Bene?ts,
including?no-pay? denials) from daily batches in

r0

After each insurance batch is posted, Posting Specialist will 11m ?Day Sheet-Transaction
Detail Report? to make sure payments posted in ?balance?/equals insurance deposit
tape total.  .  
a. Select ?Reports? from Toolbar at Main Menu in 
b. Select ?Day Sheet?. 
c. Under Options Tab, unclick ?Subtotal by Provider" and 
d. Select ?Sort by Name?. 

   
       
   
 

 

  

Last saved by: moodson
Revision number: 3
1 Total ed??ng time: 34 Minutes





 

Con?dential - For Committee and Staff Use Only 

Fugure 2-1-8:

 

FWW

  

 

1117 Perimeter Center West, Smile ??14064 Atlanta, GA 30338 (67B) 957-8743 Fax (678) 4-13-2329

March 13, 2006

RE:
DOB:

55 
ACCT 
DOS:

To Whom It May Concern:

If you have any further questions, do not hesitate to contact our office at (678) 443-330,
Monday through Friday, between 8am-6pm EST.

 
   

WM
Sincerely, g1 Author: Admn- istrator
Manager: 
Sandra Brown I Company: him-d
- - - MW A
B?lmg - i 
(678) 443?2338 "Direct"  Last saved by: sbrorm 
5 Revision number: 4
@labmdorg 
Sbro my  Total ed1an time: Indian-.1125
rs 3 {3  Clo nfmie MEL-31 Peg 2

Con?dential - For Committee and Staff Use Only TIVERSA-OGR-OO17478

Flgure 2-1 -9:

  

THE lAl?I..iAl?v?li? SIIV (15 

1117 Perimeter Center West, Suite #w?vms, Atlanta, GA 30333 (678) 443?2330451335) 967?8743 1 Fax (678) 443-2329

 

March 23, 2007

To Whom It May Concern:

This letter serves as a formal request to have claims for the attached list of patients reprocessed

 

 

 

A

 



If you have any further questions, do not hesitate to contact me directly at (678) 443?2338,

 

Monday through Friday, between 8am 6pm. .  
I  Author: Wham  
Smcerelv, a  - 
4 5 Manager: 
1  Company: labmd 
Rosalind Woodson 
?3 Billing Manager/ gable Last saved by: moodson
.v c: 3 Revision number: 6
5 oodsoanabmdorg Tomedi?ng we: Zor?mm
T'Iver'sas'Labl?u?lD Con tic? Gretta? Page 1' 3

Con?dential - For Committee and Staff Use Only 

3.2 "xii-3; 5.112;: :23  
in addition to the above disclosure source identification and geolocation analysis,Tiversa also performed a
?le spread analysisto determine ifany of me ?les have spread, and were acquired by any
other users ofP2P networks. Based on this analysis,Tiversa detected (6) additional ?3 addresses disclosing

one or more of the files originallydetected emanating from 64.190.82.42.
See Figure 2-2-1 belowfor a summarytable of all IP addresses detected.

Figure 2-2-1:

mu?. .-1 ?Jun :?Ezj? Q-w- amt. "at I.-
1:113513.

19

Sourcei 64.190824? EECPRESS us

SAN DIEGO.

Source 2 68.107.85.250 215/2008 - 9/202011 OOX N3. LB

3,302

MEDIACOM COMMUNICATIONS

Source 3 173.16.83.112 11/5/2008 - 2/14/2009 CHICAGO, US 1,832

OORP

Source4 201.194.118.82 4/7/2011 SAN (533? JOSE SAN JOSE 33

Source5 90.215.200.56 6/9/2011 LTD LONDON. ENGLAND, UK 47
coimmsr CABLE 

Source6 71.59.18.187 5/5/2010?11/7/2012 COMMUNICATIONS 1254
INC .

NASHVILLE.

_Source7 173.16.148.85 CORP TENNESSEE US

520

?lndicales original disclosure source lPreporled in Incident LABM00001
?All i Geo/ocation information associated with thesei addresses was discovered as of 6/3/2014.

The 6 additional lPaddresseswere detected in possession of the 1 ,718 page "Insurance Aging" Report
on various dates within the disclosure date ranges referenced above,

These 6 IP addresses possess additional ?les includingfederal tax returns relaijng to numerous individuals,
credit reports, creditcard and bank accountstatements, passports, usernamesand passwordsto online
accounts, medical payment data, lists otcredit card numbers, social securitynumbers, instructions on how
to hack and steal passwords etc. Tiversa classi?esthese 6 additional IP addresses as information
Concentrators.

Throughoutourextensive P2P research,Tiversa. continues to see individuals harvesting a large number of
files containing confidenlial and sensilive data. Tiversa calls these individuals ?information Concentrators?
and in mostcases, theyare suspicious in nature. These individuals utilize P2P?le sharing networks to
search for sensitive and confidential data (ie. Credit Card Passwords, Account#?s, SSN, Pll, Payroll
Information, HR, Medical, Financial, lT Information etc). information Concentrators gatherthis information
and could potentially use it for malicious purposes.

For a complete listof ?le titles detected in possession ofthese additional IP addresses,seethe excel ?le
titled which is provided along with
this report.

Con?dential - For Committee and Staff Use Only TIVERSA-OGR-OO17480

3. Conclusions/Suggested Actions

in order to contain any further proliferation ofthese LabMD-related ?les across the P2P networks, any
computers responsiblefortheir disclosure mustbe identi?ed and then removed from the P2P networks or
at a minimum, the related ?les mustbe removed from the suspects machine.

Based on the information reviewed byTiversa, a suggested course ofaction is to oontactthe apparent
employees listed within the investigation ?ndings above (Rosalind Woodson and Sandra Brown)
reference the disclosed documenttitles, documentcontent, and the supporting evidence listed above. It is
possible thatan investigation into these disclosed ?les and possible sources will allow to determine
the disclosure source. If the disclosure source machine is found,the machine should be reviewed forthe
presence of?le sharing software An investigation ofthis machine should indicate thatthe ?les found on that
machine match the ?le listing noted in Figure 2-1-2 above. It should be noted thatthe disclosure source
machine maybe a home computer, workcom puter or possiblya laptop.

Additional remediation activities can be discussed with Tiversa once additional investigation steps by 
have been completed.

Con?dential For Committee and Staff Use Only 

Tiversa
606 Liberty AVenue (724) 940-9030 o?ce
Pittsburgh, PA 15222 (724) 940-9033fax



Con?dential - For Committee and Staff Use Only