BOSTON (Reuters) - The U.S. Food and Drug Administration is under pressure from the pharmaceutical industry and lawmakers to undergo an independent security audit, after hackers broke into a computer system used by healthcare companies to submit information to the agency.
Drug companies fear the cyber thieves may have accessed corporate secrets that are on file with the agency, such as data about drug manufacturing, clinical trials, marketing plans and other proprietary information.
While some lawmakers charge that the hackers breached the FDA’s gateway, compromising confidential business data, the agency argues that the access was limited.
The breach came to light last month when the FDA sent letters to users of an online system at the Center for Biologics Evaluation and Research. The letters said the breach was detected by the FDA on October 15 and that it resulted in the theft of usernames, phone numbers, email addresses and passwords.
The U.S. House of Representatives Energy and Commerce Committee launched an investigation, and last week four senior Republican members of that committee sent a letter to FDA Commissioner Margaret Hamburg asking her to immediately launch a third-party audit that would “assess and ensure the adequacy of FDA’s corrective actions” following the breach.
Washington-based pharmaceutical industry trade group PhRMA said on Tuesday that it supported the committee’s request for an independent audit.
“It is the legal obligation of the Food and Drug Administration to protect companies’ trade secrets and confidential commercial information,” PhRMA Vice President Sascha Haverfield said in a statement. The group’s members include Amgen Inc, Daiichi Sankyo, GlaxoSmithKline, Johnson & Johnson, Merck & Co and Novartis AG.
The FDA’s breach notification letter, which was published in pharmaceutical trade publications, referred to the compromised system as an “online submission system” at the Center for Biologics Evaluation and Research.
That alarmed drugmakers, which provide the FDA with highly sensitive data - which would be priceless to a competitor - when they submit applications seeking approval for new drugs, biologics and medical devices.
In their letter to the FDA, the Energy and Commerce Committee members charged that the attackers had breached the “FDA’s gateway system,” compromising confidential business information along with sensitive data about patients enrolled in clinical trials.
FDA spokeswoman Jennifer Rodriguez said that was wrong.
“The system that was attacked maintains account information for the Biologic Product Deviation Reporting System, the Electronic Blood Establishment Registration System and the Human Cell and Tissue Establishment Registration System,” she said.
“This system is not used to submit any applications. It is not the electronic gateway that was breached,” she added.
She also said that the agency was not aware of any attempts to use stolen information for “criminal or other inappropriate purposes.”
Rodriguez declined to comment on the requests for an outside audit or say whether the breach had affected more than the 14,000 accounts disclosed to date.
Tracy Cooley, a spokeswoman for the Biotechnology Industry Organization, another healthcare industry trade group, said her organization also had concerns about the breach.
“We support Congress investigating this situation,” she said.
Reporting by Jim Finkle; Editing by Richard Valdmanis and Tim Dobbyn