Inspector General Confirms Investigation into HHS Cyber Center

The Health and Human Services Department’s inspector general has indeed launched an investigation into the department’s fledgling cyber operations center, a spokeswoman confirmed to Nextgov Wednesday.  

The office declined to provide any other details about the investigation into the Healthcare Cybersecurity and Communications Integration Center, or HCCIC, except to say that it “is/was ongoing.”

The HCCIC controversy began in September when center Director Maggie Amato and department Deputy Chief Information Security Officer Leo Scanlon were abruptly reassigned following a letter to a Senate oversight committee alleging the pair had accepted inappropriate gifts from cybersecurity companies that later won multi-million dollar contracts with the agency.

Since that time, Amato has resigned and Scanlon has spent months on involuntary leave.

In a letter from their attorney to Health and Human Services Secretary Alex Azar earlier this month, Scanlon and Amato said they were told by the inspector general’s office that they were not under investigation. The attorney, Chuck McCullough, later told Nextgov that the inspector general’s office interviewed the pair in connection with complaints they’d raised about their reassignments.

Scanlon did not immediately respond to a request for comment about the inspector general’s office confirming an investigation.

The inspector general said via email that: “The OIG has a general practice of neither confirming nor denying the existence of an investigation being conducted by our office. However, because information has come to light that suggests that the OIG was conducting an investigation involving the Healthcare Cybersecurity and Communications Integration Center (HCCIC), we are willing to acknowledge that an OIG investigation involving HCCIC is/was ongoing.”

Typically, inspector general offices do not speak about investigations until they’re complete. Even then, they sometimes issue public reports in redacted form, especially when they involve personnel issues.

Health and Human Services Chief Information Security Officer Chris Wlaschin, who has been overseeing the HCCIC since Scanlon and Amato’s reassignments, has announced his resignation at the end of this month. He will be replaced by Janet Vogel, a longtime federal IT official who is currently deputy chief information officer for the Centers for Medicare and Medicaid Services.

Wlaschin had said he is departing for family reasons entirely separate from the HCCIC scandal. He later attributed his departure to an illness in the family.  

Some industry officials and lawmakers have complained that the HCCIC, which shares cyber threat information between government and the healthcare sector, effectively duplicates work that was already being done by the Homeland Security Department and the healthcare industry.

HCCIC defenders say the center ensures that smaller and medium-sized hospitals and healthcare companies receive cyber threat alerts that might only go to their larger peers if the free market was left in charge.

The center also tailors general government alerts sent out by the Homeland Security Department so they’re meaningful to the healthcare sector.

The House Energy and Commerce Committee is also investigating issues concerning the HCCIC, but has declined to provide details of that investigation.