House Oversight and Government Reform Committee Chairman Darrell Issa and Senate Judiciary Committee Ranking Member Chuck Grassley released a joint report on the program initiated in April 2010, which they described in a press release as a “highly-invasive surveillance program that monitored employees who contacted Congress and the media with concerns about FDA’s medical device approval process.”
The FDA violated the Privacy Act of 1974 and disclosed records collected in their surveillance operation to agency and non-agency employees who had “no need to review the records.” A US Department of Health and Human Services (HHS) contractor, Quality Associates, Inc, obtained 80,000 pages of documents “associated with FDA employee monitoring” and, in May 2012, posted them on a public Internet site. The records included “confidential and proprietary FDA documents, as well as confidential communications between FDA employees and Congress, the Office of Special Counsel (OSC) and personal attorneys.”
Both the FDA and HHS never took responsibility for the gross violation of privacy that occurred in this mishandling of records.
Scientists working for the Center for Devices and Radiological Health (CDCR) were concerned that warnings regarding “potential health hazards” stemming from FDA-approved medical devices were being ignored.
The surveillance operation was initiated when an outside counsel for GE Healthcare expressed concern over an alleged “violation of confidentiality” when the New York Times published a story on March 28, 2010, on FDA’s approval process for medical devices and requested an “internal investigation into how this information was leaked to the press.”
At the request of a corporation, General Electric, the FDA subsequently began to engage in “real-time monitoring” of employees.
On April 22, 2010, they targeted Dr. Robert Smith, who believed warnings related to medical devices were being ignored. The agency began to monitor the FDA-issued computer of Paul Hardy on May 24. The surveillance operation further expanded on June 30, to include three additional scientists.
Using a computer monitoring software program called Spector 360, the FDA logged keystrokes, captured passwords and confidential information and recorded activity remotely in the event that a laptop being monitored was not directly connected to the FDA network. Screen shots of each computer were taken “every five seconds and logged all keystrokes on the keyboards.”
“CDRH officials,” according to the report, “reviewed the information gathered through the monitoring using encrypted flash drives. Information on the encrypted flash drives included private, non-official communications, including Gmail and Yahoo! Mail messages. Transmitted information also contained communications with Congress, confidential attorney-client communications, and confidential complaints filed with the OIG and OSC.”
As explained in the report:
Chickasaw Nation Industries Information Technology led the surveillance operation directed at whistleblowers. The contractors involved in surveillance were never concerned about the collection of communications with members of Congress.…Spector 360 user activity monitoring software is readily available for both home and business use. The software “monitors, captures, and analyzes ALL user and user group activity including: e-mail sent and received, chat/IM/BBM, websites visited, applications/programs accessed, web searches, phone calls, file transfers, and data printed or saved to removal devices.” FDA employees received no notice that this specialized software with such extensive monitoring capability was being installed on their computers. Moreover, the FDA did not routinely subject all of its employees to such intense scrutiny…
…The Spector 360 software does not distinguish or filter out any information, such as protected communications with Congress, communications covered by attorney-client privilege, or communications that might otherwise be protected by law, such as confidential submissions to the Office of Special Counsel. Moreover, those collecting and forwarding the information did not have any training or instruction in minimizing the collection of privileged communications….
Contractors thought they could collect privileged communications:
The FDA requested that the inspector general for HHS investigate alleged disclosures multiple times. The OIG declined the requests, “noting that contacts with the media and Congress were lawful and no evidence of criminal conduct existed.”
The Justice Department was also contacted in November 2010. It, too, declined to pursue a criminal investigation.
Nonetheless, in 2010, as the FDA was floundering in its quest to convince some agency or department to treat alleged disclosures by employees as a crime, the surveillance continued.
While the FDA conducted the surveillance under the pretext that prohibited disclosures of information had occurred, stunningly (and perhaps tellingly), there was no “retrospective inquiry into any of the scientists’ network activities to understand who may have accessed the memoranda that were leaked to the press.”
“The FDA managers and IT professionals interviewed failed to explain clearly how the rationale offered to justify the monitoring was consistent with the method used,” the report stated. “There appeared to be confusion about the distinction between retrospective identification of individuals who already accessed certain documentation that was featured in the New York Times articles and real-time monitoring going forward once the internal inquiry began.”
The report also makes clear that the FDA never even accomplished its goal of figuring out who was responsible for the suspected leaks.
“In an effort to be thorough,” FDA officials “reviewed” Dr. Smith’s “FDA-issued computer once he left the agency following the expiration of his contract but found no evidence of disclosures of confidential information to the media.”
“FDA management went to unprecedented lengths in order to determine who was leaking confidential information to the press. Yet, they failed to find proof of leaks to the press. In fact, the only information FDA officials uncovered on one of the five FDA scientists monitored, Paul Hardy, was information disclosed to Congress—a protected form of communication.”
Whistleblowers targeted by the unlawful surveillance operation filed a lawsuit on January 15, 2012, which alleged the FDA had violated their First, Fourth and Fifth Amendment rights. A House Oversight & Government Reform hearing was held on February 6, but the hearing was not broadcast by CSPAN. It was impossible for anyone to hear officials who bear responsibility for this scandal answer questions as members of Congress confronted them over the FDA’s criminal conduct.
In conclusion, this statement in the report could not be more significant, “Whistleblower disclosures are protected by law, even if they are ultimately unsubstantiated, so long as the disclosure was made in good faith.”
Whether what the scientists were saying was true or not, it is irrelevant. The FDA’s effort on behalf of General Electric violated the privacy of employees and targeted individuals alleged to have had communications with the press and Congress, which were protected by law.