HHS cybersecurity official relegated to telework position after 7-month suspension

hhs
After being placed on administrative leave for nearly seven months, Deputy CISO Leo Scanlon returns to HHS in a watered down role. (Sarah Stierch/CC BY 4.0)

A top cybersecurity official has been reappointed to the Department of Health and Human Services (HHS) after being placed on paid administrative leave since October.

Leo Scanlon, one of two HHS cybersecurity officials initially reassigned in September amid an investigation over alleged ethics violations, is returning to the agency as a supervisory IT specialist with the Office of the Chief Information Officer (OCIO), according to an internal memo obtained by FierceHealthcare. Scanlon was subsequently placed on administrative leave on Oct. 19. 

In a position that is exclusively telework, Scanlon will be responsible for providing the agency with “individualized summary, analysis and recommendations on upcoming and pending Congressional legislation, White House policies and executive orders” that impact the CIO office. 

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

Scanlon will report directly to Karl Alvarez, the executive officer of the OCIO, but he is barred from interacting with current or former OCIO staff. He is also barred from entering the OCIO offices and from attending any leadership meetings.

“If you try to enter any DHHS facility without securing the appropriate authorization, the guards will be instructed to remove you from the premises,” the memo states.

Because he "will not require any work with classified, nonpublic, or sensitive data," Scanlon's security clearance has not been reinstated. 

An HHS spokesperson said as a "matter of policy" the agency does not discuss personnel matters. 

RELATED: Ousted HHS cybersecurity leaders demand answers about last year's sudden removal

The assignment is “light duty,” according to one person with knowledge of the reassignment. But HHS has not permanently reassigned Scanlon from his previous position as Deputy Cybersecurity Information Officer, meaning that is still technically his title, but without any access. 

“Sooner or later, some adult will have to step up to straighten things out,” the person told FierceHealthcare, adding, that HHS CIO Beth Killoran "has no good moves."

"Whatever she does only deepens the pit she dug," the person said.

Scanlon’s reassignment dates back to September of last year, when HHS officials received an anonymous letter accusing Scanlon and former director of the Healthcare Cybersecurity Communications and Integration Center (HCCIC) Maggie Amato of accepting “special treatment, gifts and privileges” from cybersecurity vendors.

Scanlon and Amato were told they were being investigated by the Office of the Inspector General (OIG), but in a letter sent to HHS in March, an attorney representing the pair said senior OIG investigators told them they were never under investigation.

Former CISO Christopher Wlaschin, who reassigned the pair in September, resigned from his position in March for personal reasons and took a job in the private sector. Centers for Medicare & Medicaid Services (CMS) CIO Janet Vogel was named as Wlaschin's replacement.

The OIG has said it is currently investigating HCCIC but has provided no further details. The House Energy and Commerce Committee is also investigating the HHS’s reassignment of Scanlon and Amato. In November, lawmakers asked HHS to explain the operational status of the HCCIC and what prompted the staff reassignments.

Editor's Note: This story has been updated to include comment from HHS.