House committee seeks information about controversy surrounding HHS cybersecurity center

Approximately six months after the Department of Health and Human Services officials outlined plans to open a new cybersecurity communications center, those efforts appear to be at a standstill. 

Members of the House Energy and Commerce Committee have asked HHS to explain the operational status of the new Healthcare Cybersecurity Communications Integration Center (HCCIC) after the agency reassigned two cybersecurity officials tasked with leading the new effort amid concerns about misconduct.

In the letter addressed to Acting Secretary Eric Hagen, Reps. Greg Walden, R-Ore., Frank Pallone Jr., D-N.J., and Diana DeGette, D-Colo., specifically requested more information about why Margaret Amato, who served as the director of HCCIC, and Leo Scanlon, the deputy chief information security officer and the designated senior advisor for public health sector cybersecurity at HHS, were “temporarily detailed to unclassified duties” on Sept. 6.

Doing so has “effectively removed the HCCIC’s leadership and suspended its activities,” according to the letter.

RELATED: HHS prepares to unveil cybersecurity communications center by the end of the month

On Tuesday, Politico reported HHS was reviewing a series of anonymous letters alleging Scanlon and Amato had received free dinners, tours of California wineries and hot air balloon ride from contractors. The agency is looking specifically into a no-bid contract with a startup called Akiva. Scanlon and Amato denied any wrongdoing.

Instead, the pair believes HHS officials retaliated against them for bringing their concerns to lawmakers. According to the committee members, Amato claims HHS “shuffled” her to two other positions and threatened to cancel preapproved leave after she and Scanlon sent the Energy and Commerce Committee a protected disclosure. The lawmakers said they are still in the “preliminary stage” of investigating the claims, but are operating on a “working assumption that the allegations appear credible.”

RELATED: ICIT hails new HHS cybersecurity communications center as a ‘quantum leap forward’

HCCIC was supposed to be a new effort by HHS to relay information about cyberthreats to the healthcare industry. In a hearing earlier this year before the Energy and Commerce Subcommittee on Oversight and Investigations, Scanlon said HCCIC played a critical role in weathering May’s WannaCry attack and that the center would be fully operational by the end of June. But the new center got some pushback from HITRUST CEO Daniel Nutkis, who said the HCCIC was duplicating efforts by the Department of Homeland Security.

The committee leaders have asked HHS to explain why Amato and Scanlon were reassigned, the nature of the agency’s investigation into alleged misconduct and the status of HCCIC reorganization. Given Scanlon’s temporary detail, the lawmakers also want to know who is overseeing cybersecurity at HHS.