Cyberextortion by US gov, or simple P2P security lapse by medical firm?

Company X leaks data. Company Y finds data. Y shills for security work. X refuses. Y tells the FTC. FTC asks X to explain. X says Y is unobjective. FTC asks X to explain, no ifs and buts. X writes a book about it. Paul Ducklin takes a look at the saga…
Naked Security – Sophos