IG Report: NIH Failed to Protect Privacy, Security in Health Data Study
The National Institutes of Health failed to properly oversee privacy and cybersecurity protections for a research program involving health data of more than 1 million participants, the inspector general's office for the Department of Health and Human Services Office said in a report released Friday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The IG examined NIH’s All of Us research program, a health study with the goal of delivering “better health for all of us.” The IG found that NIH failed to ensure the unnamed program awardee “limited the access of authorized data users to program data in accordance with program policies.”
NIH didn’t “communicate national security concerns associated with maintaining genomic data to the DRC award recipient to enable it to choose the appropriate security and privacy cybersecurity controls for its information systems,” the report added.
The IG recommended NIH require the awardee to implement updated access controls; implement new controls to prevent downloading of detailed participant data; and formally communicate national security concerns associated with maintaining genomic data.