HHS is Shopping For Cellphone Hacking Tools

The investigative watchdog housed within the Health and Human Services Department is looking to acquire cellphone hacking tools.

The HHS Office of the Inspector General issued a solicitation Monday on FedBizOpps consisting of a single line urging companies that have “equipment or services” capable of cellphone access and data extrication to email the office for more information. Due to the sensitive nature of the procurement, contracting officers declined to share the bid documents or the scope of the services being requested.

“The Health and Human Services Office of Inspector General leverages state-of-the-art tools and technology to assist its investigators as they conduct criminal, civil and administrative investigations of fraud and misconduct related to HHS programs, operations and beneficiaries,” OIG Deputy Director of Communications Erika Yepsen told Nextgov. “This solicitation seeks to ensure our personnel have the needed tools to protect the integrity of HHS programs.”

As the largest inspector general office in the federal government, the HHS OIG has a broad mission, including oversight of agency programs, as well as investigations into fraud and abuse from outside partners and beneficiaries. The office’s biggest focus is on Medicare and Medicaid fraud, which it investigates with powers and techniques akin—and often in conjunction with—the FBI.

“They are a full-on, total investigative organization with a lot of authority, huge responsibility and real big problems that they deal with,” an official familiar with Health and Human Services’ IT and cybersecurity issues told Nextgov, though they declined to be identified as they are not associated with this office or procurement. “They’d have the same kind of use for that technology as the FBI or someone out of a U.S. Attorney’s office would. That’s the kind of stuff they deal with.”

It is unlikely these tools would be used for cracking employee phones, the source said, as HHS components should already have backdoor access to the equipment they provide to the workforce. If OIG officials were seeking to hack into an employee’s personal phone, that would require additional levels of due process, including a warrant.

Rather, these tools are likely being used as part of an investigation into multimillion-dollar frauds and serious organized crime related to health benefits.

“I can certainly imagine some appropriate uses, given the breadth of investigatory work that OIG is engaged in,” said Frank Baitman, senior adviser at Deque Systems and former HHS chief information officer. Without any direct knowledge outside of the FBO post, Baitman offered three such examples where access to a phone could aid an investigation:

• Medicare fraud cases could very well involve chat messages between and among co-conspirators—whether doctors, medical device suppliers, etc.
• The department’s regulatory mission—especially at the Food and Drug Administration—involves very sensitive, proprietary information. It's important that this information be managed and protected to develop confidence among industry partners.
• HHS is largely a grant-making agency, and an investigation of fraud in the use of grants could also benefit from seeing recipients' exchanges.

“There are no doubt areas that such a tool would make me uncomfortable, such as unlocking employee phones,” Baitman added. “That's not to say there aren't situations where employees should be investigated, but there needs to be a reasonable and explicit expectation of misdeeds to look on someone's phone.”