Committee Leaders Launch Investigation Into Recent FDA Cyber Breach

December 9, 2013

Leaders Also Request Government Watchdog Examine Effectiveness of Key Cyber Security Controls Utilized By Top HHS Agencies

WASHINGTON, DC – In the ongoing effort to protect Americans’ sensitive personal information online, House Energy and Commerce Committee leaders are seeking answers on a recent cyber breach at the Food and Drug Administration (FDA) as well as a review of cyber security at the Department of Health and Human Services (HHS). The leaders are seeking answers and information from the FDA regarding a recent breach of an online submission system. The leaders have also requested the Government Accountability Office review the effectiveness of current cyber security systems at all key HHS agencies.

In the letter to FDA Commissioner Margaret Hamburg, M.D., the leaders write, “According to information FDA provided to the media, on October 15, 2013, FDA’s online submission system, the electronic submissions gateway historically managed by the Center of Biologics Research and Evaluation (CBER), was breached by an unauthorized user. … The security breach exposed details, phone numbers, email addresses and passwords of 14,000 accounts, around 5,000 of which are active.” The letter requests documents and communication pertaining to the October 15 incident. Additionally, the letter reads, “To restore public confidence in the FDA’s information security, we request that you immediately obtain a third-party audit from a qualified expert to assess and ensure the adequacy of FDA’s corrective actions taken in response to this incident.” A response is requested by December 23, 2013.

The letter to the FDA was signed by full committee Chairman Fred Upton, (R-MI), Vice Chairman Marsha Blackburn (R-TN), Chairman Emeritus Joe Barton (R-TX), Oversight and Investigations Subcommittee Chairman Tim Murphy (R-PA), and subcommittee Vice Chairman Chairman Michael C. Burgess, M.D. (R-TX). Read the complete letter online here.

In a separate letter to Comptroller General of the United States Gene Dodaro, committee leaders “request that the Government Accountability Office (GAO) examine the information security controls over key computer networks at HHS agencies – CMS, FDA, CDC, and NIH – and assess their effectiveness in protecting the confidentiality, integrity, and availability of each agency’s information and information systems.” The letter explains that “HHS is responsible for almost a quarter of all federal outlays, and it administers more grant dollars than all other federal agencies combined. … HHS and its component agencies also collect, process, and maintain highly sensitive information including proprietary business information, medical records, and personally identifiable information.” The leaders request that GAO prioritize the review, beginning with CMS-related information.

The letter to GAO was signed by Upton, Murphy, and Health Subcommittee Chairman Joe Pitts (R-PA). Read the complete letter online here.

###