Two former cybersecurity officials at the Department of Health and Human Services (HHS) are questioning the agency’s actions that led them to be abruptly reassigned in September, a move that has derailed a cyberthreat sharing initiative.
Leo Scanlon, who served as the HHS Deputy Cybersecurity Information Officer and Maggie Amato, who was tasked with directing the Healthcare Cybersecurity Communications and Integration Center (HCCIC), were reassigned by Chief Information Security Office Chris Wlaschin in September after an anonymous letter accused the pair of accepting “special treatment, gifts and privileges” from cybersecurity vendors vying for government contracts.
According to Scanlon, he and Amato were told by HHS officials, including CIO Beth Killoran, they were under investigation by the Office of Inspector General (OIG) regarding the allegations.
But months later, Scanlon says there never was an investigation. He told FierceHealthcare there is “no legitimate basis for the reassignment of me or Amato.”
“Wlaschin took his actions without recommendations from any investigative entity, and in fact, without any investigation being underway at all,” he says.
RELATED: House committee seeks information about controversy surrounding HHS cybersecurity center
Amato has since resigned following “increasingly hostile and retaliatory acts,” according to a letter (PDF) her attorney, Charles McCullough III, a partner at Tully Rinckey PLLC, sent to the agency. The letter also noted that senior OIG investigators told Amato and Scanlon that they were never under investigation.
In a statement FierceHealthcare, OIG spokesperson Tesia Williams said she was “unable to confirm or deny an investigation into Scanlon or Amato.”
With Scanlon on administrative leave for more than 150 days, he and Amato are demanding answers. Both were interviewed by the Whistleblower Unit at OIG after filing reprisal complaints in September. While emails between Wlaschin and Scanlon show some disagreement about how HCCIC should be structured within HHS, it's still unclear why he was so adamant about removing the pair from their positions.
HHS did not immediately return a request for comment.
RELATED: ICIT hails new HHS cybersecurity communications center as a ‘quantum leap forward’
"It is our understanding that [OIG] takes whistleblower reprisal very seriously, and that they are actively looking into the allegations of retaliation made by Mr. Scanlon and Ms. Amato,” McCullough said in a statement to FierceHeatlhcare. “We fully expect the truth to come out soon.”
FedScoop reported earlier this month that Wlaschin is leaving the agency at the end of March for personal reasons. According to Nextgov, Medicare and Medicaid CIO Janet Vogel will rotate into the position in April.
“During the month of April, CMS Deputy Chief Information Officer (CIO), Janet Vogel, will detail from CMS into the role of Chief Information Security Officer (CISO) at HHS," an HHS spokesperson told FierceHealthcare. "Janet brings thirty years of federal experience to the position with the last 16 years at CMS. Her broad spectrum of skills in information technology, information security, organizational change, acquisition, and risk mitigation will be key to transforming and expanding HHS’ cyber programs into the healthcare sector.”
The HCCIC, meanwhile, which was created to provide a threat-sharing mechanism for the industry, has been “derailed,” Scanlon says.
“Mr. Wlaschin’s resignation in the face of these revelations, whatever his personal reasons may be, marks the sad end to a brief tenure whose legacy is a catastrophe that could have been avoided,” he says. “This is a tragedy for the sector and the nation.”