FDA Breach Raises Lawmakers' HacklesHouse Panel Issues Terse Letter Regarding October Hack
Lawmakers have raised concerns that the Food and Drug Administration hasn't been as forthright as it should in disclosing an October breach that exposed personally identifiable information of 12,000 to 14,000 individuals.
In a terse letter to FDA Commissioner Margaret Hamburg dated Dec. 9, the Republican leaders of the House Committee on Energy and Commerce expressed concerns about the lack of details provided about the breach.
"It is very troubling that such a security breach could have occurred, particularly given the resources invested," the letter states, making a reference to the 12 percent of the FDA budget appropriated for information technology. It was signed by Committee Chairman Fred Upton of Michigan, Chairman Emeritus Joe Barton of Texas, Vice Chairwoman Marsha Blackburn of Tennessee, Subcommittee on Oversight and Investigations Chairman Tim Murphy of Pennsylvania and Subcommittee Vice Chairman Michael Burgess of Texas.
FDA Deputy Director Erica Jefferson, in response to questions submitted by Information Security Media Group, says the agency is working on a response to the committee.
On Oct. 15, Jefferson says, the FDA staff detected unauthorized network access to the Center for Biologics Evaluation and Research's online submission system, which maintains the account information for the Biologic Product Deviation Reporting System, the Electronic Blood Establishment Registration System and the Human Cell and Tissue Establishment Registration System.
The breached system contained all medical product information for the FDA, according to the committee's letter to Hamburg. Jefferson says the agency is unaware of any attempt to use account information for criminal or other inappropriate purposes.
The FDA deputy director says hackers accessed the information of some 12,000 current and past users. "The agency has been able to confirm that no system data have been altered," Jefferson says. "As a precaution, FDA disabled the systems, immediately implemented corrective security measures and administered password resets for approximately 5,000 active user accounts."
The letter, which the lawmakers say is in response to information the FDA provided to the media on Nov. 8, says hackers breached 14,000 - not 12,000 - active and inactive accounts. The FDA advised the 5,000 active users on Oct. 18 to change their passwords and monitor their credit reports in case hackers stole their identities.
Was PII Encrypted?
"The nature of FDA's notification to active account holders - for example, advising the change of passwords - suggests the FDA may not have encrypted passwords and other information," the letter says.
Jefferson did not answer a question whether the exposed personally identifiable information was encrypted, saying the FDA would first provide the answer to the committee. "We need to respond to them first and directly," she says. "We intend to do so."
The letter says the FDA failed to notify business partners about the breach until 5:30 p.m. on Nov. 8, a late Friday afternoon leading to the three-day Veterans Day weekend, about the same time the FDA made the announcement of the security breach, according to the letter.
"The security breach of FDA's gateway system not only compromised the security of personal identifiable information, but also compromised the protection of confidential business information and medical privacy information of patients enrolled in clinical trials," the panel's letter says.
The Energy and Commerce Committee requested the FDA provide by Dec. 23 information to identify current or former contractors that may have knowledge of the breach and details on the nature of information stolen, notification of affected parties and corrective actions taken. The commission also seeks a list of security control assessments of the electronic submissions gateway since January 2010, explanations on how the breach occurred and documents related to the breach.
Committee members also called on the FDA to obtain a third-party audit to ensure the adequacy of FDA's corrective actions "restore public confidence in the FDA's information security."
In a separate letter to Comptroller General Gene Dodaro, who heads the Government Accountability Office, committee leaders requested the GAO examine the information security controls for key networks at Department of Health and Human Services agencies, including the FDA, the Centers for Medicare and Medicaid Services, the Centers for Disease Control and Prevention and the National Institute of Health.
"In light of the number of agencies involved, we ask that you work with staff to prioritize the work, beginning with an examination of CMS-related information security programs," the letter says, citing the agency that oversees the administration of the Affordable Care Act, known as Obamacare (see HealthCare.gov: How Secure Is It Now?).