Assurance in the FDA’s online submission system
Corrective actions and better security breach circumstance details are being requested in light of the FDA's 12% budget allocation to information technology not adequately protecting private data of citizens and businesses.
According to information FDA provided to the media, on October 15, 2013, FDA's
online submission system, the electronic submissions gateway historically managed by the
Center for Biologics Research and Evaluation (CBER), was breached by an unauthorized user.
While the online submission system is managed by CBER, its reach is much broader than that
division and includes all medical product information for FDA, including information for drug
and medical device products. In addition, the gateway supports receipt of Adverse Event
Reporting System (AERS) reports and attachments. The security breach exposed the names,
details, phone numbers, email addresses and passwords of 14,000 accounts, around 5,000 of
which are active. The FDA advised the 5,000 active users on October 18, 2013 to change their
passwords and keep an eye on their credit reports in case the hackers have stolen their identity.
However, the FDA did not notify members of industry about the breach until approximately 5:30 p.m. on November 8, 2013 (late Friday afternoon leading into the Veterans Day weekend), about the same time that FDA made the announcement about the security breach. The security breach of FDA's gateway system not only compromised the security of personal identifiable information, but also compromised the protection of confidential business information and medical privacy information of patients enrolled in clinical trials. The nature of FDA's notification to active account holders- for example, advising the change of passwords- suggests that FDA may not have encrypted passwords and other information….
…To restore public confidence in the FDA’s information security, we request that you immediately obtain a third-party audit from a qualified expert to assess and ensure the adequacy of FDA’s corrective actions taken in response to this incident.
-letter to the FDA Commissioner from House Energy and Commerce Committee