GAO: HHS Yet to Implement 82 Cybersecurity and IT Management Recommendations

Posted by Steve Alder

The U.S. Government Accountability Office has written to Clark Minor, Chief Information Officer (CIO) of the U.S. Department of Health and Human Services, advising him about the current open cybersecurity and IT management recommendations that require his attention.

GAO is a non-partisan agency that works for Congress and provides support to ensure it meets its constitutional responsibilities and helps improve the performance and ensure the accountability of the federal government. GAO makes recommendations for improving the government’s performance in IT and related IT management functions, including recommendations for the HHS, yet many of those recommendations have yet to be implemented. In the letter, GAO explained that the HHS currently has 82 open recommendations involving high-risk cybersecurity and IT management issues.

GAO made the recommendations over several years, each relating to a GAO High-Risk area: Ensuring the Cybersecurity of the Nation or Improving IT Acquisitions and Management. Out of the 82 recommendations, at least 37 are considered sensitive, and one has been designated as a priority recommendation. GAO explained in the report that in order to secure the cybersecurity of the nation, the HHS needs to take additional steps to secure the records and information systems it uses to carry out its mission.

GAO had recommended that HHS establish a reasonable time frame for when it will be able to digitally accept access and consent forms from properly identity-proofed and authenticated individuals and post those forms on the department’s privacy program website. GAO has warned that until the recommendation is implemented, the HHS will not be able to adequately protect records from improper disclosure.

HHS’ Office for Civil Rights investigations into potential HIPAA violations have resulted in financial penalties for organizations that have failed to maintain logs of activity in information systems containing ePHI, yet it hasn’t fully implemented effective logging of its own systems, as directed by the Office of Management and Budget. “Until HHS implements this recommendation, there is increased risk that the department will not have complete information from logs on its systems to detect, investigate, and remediate cyber threats,” warned GAO. HHS has also not yet implemented the recommendation that it should improve its incident response guidance, implementation, and oversight.

In the Improving IT Acquisitions and Management category, GAO has recommended that HHS improve its management and tracking of IT resources. For instance, the HHS had previously provided a revised time frame for completing its covered Internet of Things (IoT) inventory, but has still not completed the inventory. GAO warned that there is an enormous array of disparate devices that may be considered part of IoT, and those devices connect to HHS information systems. Until HHS has a complete inventory, it lacks visibility into the IoT devices within its environment, which will hamper its ability to mitigate IoT cybersecurity risks.

HHS had made little progress developing a work plan that includes specific actions to show progress in developing a public health situational awareness and biosurveillance network. Doing so will help to ensure that the HHS has comprehensive capabilities to allow a rapid and efficient response to an infectious disease outbreak. GAO also stressed to the HHS CIO that there are also outstanding recommendations from the HHS Office of Inspector General in the areas of cybersecurity and IT acquisitions and management, including requirements under the Federal Information Security Modernization Act of 2014, which must also be resolved.

Minor only joined the HHS in February and has served as CIO since May 2025. The HHS said in that short time, Minor has made steady progress toward ensuring the highest level of security and performance across its systems.

The post GAO: HHS Yet to Implement 82 Cybersecurity and IT Management Recommendations appeared first on The HIPAA Journal.

Alphabet’s Verily Sued by Former Executive Over Alleged HIPAA Breaches

Posted by Steve Alder

A lawsuit has been filed against Alphabet-owned Verily by a former employee who alleges that the personally identifiable health information of more than 25,000 patients was misused, and the company failed to report the HIPAA breaches, as required by the Health Insurance Portability and Accountability Act (HIPAA).

Verily, formerly Google Life Sciences, is a research organization owned by Google’s parent company, Alphabet. The Verily platform drives AI-powered precision health solutions that help pharmaceutical firms bring new therapies to market sooner and health systems and payers improve patient outcomes at a lower cost. The lawsuit alleges that an internal investigation confirmed HIPAA breaches involving HIPAA-protected data obtained from 14 HIPAA-regulated entities. The lawsuit claims patient data was used without authorization, in violation of the HIPAA Privacy Rule. Further, while the investigation uncovered misuses of patient data, Verily failed to disclose the breach, delaying notifications while contract renewals were negotiated with the affected covered entities, in violation of the HIPAA Breach Notification Rule.

The lawsuit was filed last year; however, it failed to be reported by the media until it was spotted by CNBC, which reported on the lawsuit last week. The lawsuit was filed by Ryan Sloan, a former chief commercial officer at Verily Onduo, Verily’s diabetes and hypertension business. The lawsuit is currently pending in the United States District Court for the Northern District of California in San Francisco, having survived a motion to dismiss or resolve the lawsuit through arbitration.

Sloan was hired by Verily in 2020 and was employed until he was terminated in January 2023. Sloan claims that he and Julia Feldman, general counsel at Onduo, discovered the HIPAA violations in January 2022 and reported them to senior management. Sloan claims that patient data was used for research, marketing campaigns, press releases, and national conferences, which are not uses permitted by the HIPAA Privacy Rule unless consent is obtained from patients.

Sloan claims that he and Feldman repeatedly raised the matter with senior management, and an internal investigation confirmed that there had been several HIPAA breaches of business associate agreements between Verily and HIPAA-covered entities, including Quest Diagnostics, Highmark Health, Walgreens Boots Alliance, and others. Despite the discovery of HIPAA breaches, Sloan alleges no notifications were issued.

He claims that during a contact negotiation between Verily and Highmark Health in August 2022, Verily misrepresented that it was fully compliant with the HIPAA Rules at all times, when the company knew that HIPAA violations had occurred, including with Highmark Health data. The lawsuit claims that Feldman was terminated later that month, along with another individual who was aware of the HIPAA breaches. Sloan was terminated in January 2023, which he claims was in response to repeatedly raising concerns about the HIPAA violations and the alleged cover-up of the HIPAA breaches.

There is no private cause of action under HIPAA, so individuals are not permitted to sue for HIPAA violations. Only the HHS’ Office for Civil Rights (OCR) and state attorneys general have the authority to take legal action for HIPAA violations. The lawsuit, Sloan v. Verily Life Sciences LLC, claims that Verily retaliated against Sloan after he raised the HIPAA violations in good faith, in breach of his employment contract. Verily denies the allegations.

“Verily believes the allegations and contentions alleged in this employment matter that was commenced in 2023 are completely without merit. Verily will defend itself to the full extent of the law,” said a Verily spokesperson in a statement to CNBC. “Verily is an equal opportunity employer, and takes its responsibility and commitment to abide by all laws and regulations seriously.  As this is an ongoing legal matter, Verily will not be providing further comment at this time.”

The post Alphabet’s Verily Sued by Former Executive Over Alleged HIPAA Breaches appeared first on The HIPAA Journal.