HHS, NIH say they were not impacted by Deloitte breach

Representatives from the Department of Health and Human Services and the National Institutes of Health told FierceHealthcare agency data was not impacted by the Deloitte data breach.

On Tuesday, the Guardian reported that four U.S. government agencies had material on a Deloitte server containing emails of 350 clients that was the target of a cyberattack. Citing sources familiar with the attack, the news outlet reported that NIH was one of the clients with material that was made vulnerable by the hack.

RELATED: OIG to take a look at fed's cybersecurity preparedness

The Guardian also reported that hackers potentially had access to usernames, passwords, IP addresses and health information. Reports of the data breach surfaced on Sept. 25, and the global accountancy and consultancy firm initially told the Guardian that “very few” clients were affected.

The company stood by that position on Tuesday, telling the Guardian that “the number of email messages targeted by the attacker was a small fraction of those stored on the platform.”

However, sources told the outlet that the hacker “accessed the entire email database” and had “free rein in the network for a long time and nobody knows the amount of data that was taken.”

Spokespeople at both HHS and NIH told FierceHealthcare that the agencies were not impacted by the incident.

Deloitte provides significant support to HHS and NIH, often in the form of IT services. According to USspending.gov, in FY 2017, HHS awarded more than $268 million in contracts with Deloitte. That includes $84 million to provide support to NIH, most of which went to computer systems design services.