📷 Key players Meteor shower up next 📷 Leaders at the dais 20 years till the next one
NEWS
U.S. Army

Labs cited for 'serious' security failures in research with bioterror germs

Alison Young
USA TODAY
An investigator wearing a hazardous materials suit emerges from a post office in October 2001 in West Trenton, N.J., during an investigation into the mailing of letters containing anthrax.

Amid concerns about the potential of a laboratory insider unleashing a deadly bioterror pathogen on the public, President Obama ordered greater scrutiny of workers with access to the riskiest microbes five years ago. The goal of the resulting regulations was to prevent something like the 2001 anthrax letter attacks — or worse — from happening again.

Federal regulators have secretly threatened to revoke permits to study bioterror pathogens from at least six labs — including those operated by Brigham Young University in Utah, the University of Hawaii-Manoa and the California Department of Public Health — because they failed to take required actions to assess the behavior and trustworthiness of their workers, plus other kinds of safety violations, records obtained by USA TODAY show.

In a letter to Brigham Young University, regulators said last year that they had "significant concerns" whether its lab staff could work with potential bioterror pathogens "in a manner which does not endanger public health and safety." California's Health Department lab in Richmond allowed unapproved staff to have key cards that let them into restricted areas and "failed to address safety issues over the course of the last four years," regulators told the lab.

The University of Hawaii-Manoa was called out by regulators, in another letter the government and the university tried to keep secret, for “widespread regulatory non-compliance” and "a serious disregard" for regulations for security, biosafety, incident response and training. Issues included failures to implement suitability assessments of key lab staff, installing a security system but not making it operational, and having lab staff that didn’t understand how to use respiratory protection needed to prevent exposure to infectious agents.

Officials at the three sanctioned labs that USA TODAY was able to identify refused to be interviewed but said in emails that the cited violations have been corrected. Brigham Young officials said their lab's security and other violations involved administrative and paperwork issues, such as simply failing to have language in their records documenting their procedures. USA TODAY is  working to identify the other three labs, whose names were removed from letters federal lab regulators released under the Freedom of Information Act.

How significant the security violations are is unclear because so much of the oversight of labs working with “select agents” — the government’s term for potential bioterror pathogens such as those that cause anthrax, plague and botulism — is cloaked in secrecy. Lab regulators at the Centers for Disease Control and Prevention refused to answer questions.

A spreadsheet of enforcement actions was heavily redacted by the Federal Select Agent Program before being released to USA TODAY. The program is jointly run by the CDC and the USDA.

The Federal Select Agent Program, jointly run by the CDC and the U.S. Department of Agriculture,   refused to release the names of more than 100 labs that have faced enforcement actions for a wide range of safety violations since 2003 — even those kicked out of the select agent program. The program cites a 2002 bioterrorism law as justification for redacting lab names from records released to USA TODAY. The news organization has identified several of the labs through its reporting.

The lack of public information makes it difficult to gauge the risks posed by the violations and whether federal inspectors are focusing on issues that have a real impact on improving safety and security, said biosecurity experts and policymakers.

“It’s so hard to say how this should be interpreted,” said Gigi Kwik Gronvall of the UPMC Center for Health Security, a think-tank, when asked about the suitability assessment violations at the Utah, Hawaii and California labs. Gronvall said she’s long heard complaints from labs that inspectors focus on paperwork and minutia, but it’s difficult to know whether that’s the case.

The bipartisan leaders of the House Energy and Commerce Committee, which has held two hearings on lab safety and oversight in the past year, said they are continuing their investigation to find root causes and solutions to serious safety incidents at U.S. research facilities. Among the high-profile blunders was the discovery this spring that a U.S. Army biodefense lab had been mistakenly shipping hundreds of live anthrax specimens — that it told recipients had been killed — for more than a decade, despite inspections by federal regulators. The problems continued undetected despite regulators previously citing the lab in 2007 for failing to properly kill anthrax.

“After repeated, inexcusable blunders with anthrax, smallpox and other dangerous pathogens, it is clear that this system is not working,” said committee chairman Rep. Fred Upton, R-Mich., and Rep. Frank Pallone Jr. of New Jersey, the committee’s ranking Democrat, in a statement to USA TODAY.

A CDC inspection report released to USA TODAY by the California Department of Public Health — the only one of the three sanctioned labs willing to release any inspection records — provides a rare glimpse into what lab regulators examine and cite during their visits. Though some violations involved potential safety issues, many of the violations cited at the Richmond, Calif., lab appear to involve missing language in policy manuals found during paperwork reviews.

Less emphasis should be placed on the paperwork and more on actions that assess and improve safety cultures, some lab experts said.

“Sure, we need regulations and oversight,” said David Franz, a former commander of the U.S. Army Medical Research Institute of Infectious Diseases in Maryland. “But safety and security are not enhanced by nit-picking bureaucratic policy manual reviews, arbitrary interpretation of regs and agonizingly slow communication with the labs.”

Lab regulators at the CDC are in the midst of a 90-day review of how the agency regulates safety and security at hundreds of public, private and government labs working with select agent pathogens. The review was launched in July in the wake of the USA TODAY Media Network’s ongoing investigation that has revealed government inspectors allowing labs to keep experimenting despite failing to meet key requirements on inspection after inspection.

Lab regulators at the USDA are doing a similar review of their part of oversight program. It was launched in June, a spokeswoman said Thursday.

Letters were sent in 2001 to NBC in New York and to the office of Sen. Tom Daschle, D-S.D., that were found to contain anthrax bacteria. The FBI's investigation concluded U.S. Army scientist Bruce Ivins was responsible for the anthrax letter attacks that killed five people and sickened 17 others.

CDC officials declined to be interviewed or to answer questions about their enforcement of the enhanced security regulations, many of which took effect in April 2013 and require initial and ongoing “suitability” assessments of lab workers with access to Tier 1 select agents. This group of pathogens is deemed by the government to pose the greatest risk of deliberate misuse with the most significant potential for mass casualties or devastating economic effects. It includes the bacteria that cause anthrax, botulism and plague, the Ebola virus and several other agents.

The regulations require a variety of security enhancements, including evaluating unusual behaviors, incidents or life changes among lab workers in ways that go beyond FBI background checks. They stem from an executive order signed by President Obama in 2010.

The Federal Select Agent Program cites the  anthrax letter attacks in October 2001 — which the FBI says were the result of a U.S. Army microbiologist — as an example of how deadly and financially costly the misuse of a pathogen by a lab "insider" can be. Five people were killed and 17 others sickened. The contamination caused by the anthrax letters disrupted businesses and closed parts of government, costing more than $23 million to decontaminate one Senate office building, according to a guidance document on the suitability regulations. The Postal Service lost about $2 billion in revenue, and there was up to $3 billion in additional costs to the Postal Service for decontamination and getting mail-sanitizing equipment.

Among the ways a lab worker could pose a threat, federal officials say:

  • A person with ill intent infiltrates a research facility under the guise of a researcher  to steal, release or divert dangerous pathogens.
  • A person  working at the facility is coerced or manipulated into providing access or expertise to people intending harm.
  • A person legitimately working with pathogens who experiences a “significant life changing event” that prompts misuse, release or diversion of pathogens.

Letters sent to each of these three labs show that the CDC threatened to suspend or revoke their authorizations to work with select agents if they didn’t agree to enter into a federal performance improvement program. Violations at each lab included failures related to the enhanced Tier 1 security requirements as well as other problems.

Brigham Young University in Provo, Utah: An Oct. 30 letter from the CDC to BYU officials noted “serious regulatory deficiencies” in the areas of security, biosafety and incident response. It said BYU failed to establish procedures for pre-access and ongoing assessments of suitability for staff with access to Tier 1 pathogens. Though regulators said “physical security” of select agent pathogens appears to be in place, “the near complete failure to establish written procedures and provisions to address the requirements for possession of Tier 1 select agents resulted in inspectors being unable to measure the implementation of the required security and safety measures.”

Inspectors found that BYU had given staff access to Tier 1 pathogens without conducting pre-access suitability assessments, failed to assess suitability on an ongoing basis and failed to establish procedures for colleagues to report incidents or concerns about a peer’s suitability, the letter says. The CDC, it says, has “significant concerns” about whether the university can work with select agent pathogens “in a manner which does not endanger public health and safety.”

In emailed answers to USA TODAY’s questions, BYU officials said the university’s one lab that works with select agents agreed to be put on a performance improvement plan, and it halted select agent research until it completed the plan in in April. The university said the violations noted by the CDC involved paperwork issues: “To clarify, BYU had taken action to verify the suitability of those accessing select agents. However, some of our administrative processes to document our compliance with the assessment standards were in need of improvement.”

The CDC letter said BYU “has failed to establish an occupational health program specific to the Tier 1 select agents used and possessed by the university and enroll individual with access … in said program as required.” The university told USA TODAY, “BYU did not fail to establish an occupational health and safety program.” BYU has such a program, it said, but “had simply not referenced this program in the written biosafety plan.”

BYU, a private institution sponsored by the Church of Jesus Christ of Latter-day Saints, said it would not release a copy of the inspection report that prompted the CDC to send the October 2014 letter threatening its lab’s suspension or revocation from the select agent program if the university didn’t go into the performance improvement program.

Citing “safety and security reasons,” BYU would not answer USA TODAY's questions about which Tier 1 pathogens were involved in the research that was suspended in the wake of the CDC’s letter. According to information posted on BYU’s website, the chairman of the university’s microbiology department lists two Tier 1 agents among his research interest: Burkholderia pseudomallei, a bacterium that causes a potentially fatal disease called melioidosis, and Burkholderia mallei, which causes a disease called glanders.

"BYU is confident that ongoing work in the [biosafety level 3] laboratory can be conducted in a safe and compliant way, and the CDC certification of our facility and operation confirms this," the university said in a statement.

University of Hawaii-Manoa: A May 2014 letter from the CDC to the university said findings on inspections had “indicated a serious disregard for these regulatory requirements resulting in observed compliance departures in the security, biosafety, incident response, and training requirements of the select agent regulations.” Regulators said the university had “serious regulatory deficiencies” that included failure to implement procedures for pre-access and ongoing suitability assessments of lab workers with access to Tier 1 pathogens. Though the university had installed the hardware for a required intrusion-detection system in Tier 1 pathogen areas, the university "has failed to render this system operational,” the CDC wrote.

Regulators expressed concerns about “serious biosafety departures,” including “misunderstandings” among staff on the proper use of respiratory protection against exposure to pathogens. Such issues, the letter said, “can result in increased risk of exposure to infectious agents by entity personnel that are not properly equipped or do not understand the use of the respiratory protection provided.” The letter said the CDC “strongly recommends” the university cease all work with Tier 1 select agents and enter into a storage-only status until it completed a federal performance improvement program.

The John A. Burns School of Medicine at the University of Hawaii-Manoa

University officials declined to be interviewed and did not answer most of USA TODAY’s questions. In an email, spokesman Daniel Meisenzahl said the university “fulfilled all requirements of the performance improvement plan,” and  the CDC renewed the university’s registration in June to allow work with select agent pathogens through June 2017. “This is an example of government functioning properly with [CDC’s] continuing vigilance toward constant improvement,” he said.

The university has refused since last year to release records to USA TODAY about its select agent violations and enrollment in the PIP. In response to USA TODAY’s open records appeal to Hawaii’s Office of Information Practices, the university told the information office in January that it is “proud” of being put on the PIP and that it “has been an exemplary participant in the Federal Select Agent Program.”

Hawaii State Sen. Sam Slom, a University of Hawaii alum and legislative watchdog over the school, said Wednesday that although some secrecy may be warranted, “I think we overuse that as an excuse.” He said he’ll ask tough questions when the Legislature begins its 2016 session in January and discusses the university's state funding.

“They look at being under the PIP as a point of honor, as if they’ve done something right — which is wrong,” said Slom, the Legislature’s minority leader and lone Republican. “My point of view is if you have serious regulatory issues here, particularly that involve public safety, you tell the university: Here’s your funding request. We’ll hold it until you adequately answer questions.”

California Department of Public Health: A February 2014 letter from the CDC expressed “significant concerns” about the Richmond, Calif., facility’s oversight of select agent pathogens as observed during an inspection in  December 2013 — as well as about repeated failures to correct issues identified during inspections going back to 2009. Regulators noted that the lab failed to meet requirements for suitability assessments for staff with access to Tier 1 agents because procedures were “pending approval from the Human Resources Department” in a process that inspectors wrote they were told “could take years.”

Regulators noted that lab personnel who were not approved to have access to select agent pathogens had “unrestricted card key access,” and some had “master keys that override the card key access system, allowing them unrestricted access” into areas where select agent pathogens are used. “This same observation had been cited in the 2011 and 2012 inspection reports, but remains uncorrected,” the letter said.

The Health Department lab does diagnostic testing as well as research that includes working with strains of bacteria that produce the toxin that causes botulism. Such strains are classified as Tier 1 select agents

Other issues cited by the CDC letter included the lab failing “to meet inventory record keeping requirements over the course of the last four years,” and failing “to address safety issues over the last four years,” including a lack of evidence since 2009 that all biosafety cabinets — used to protect researchers from exposure to select agent pathogens — were certified annually.

The Health Department said in emails that it entered into a federal performance improvement plan in March 2014 and that the lab was waiting to hear from the CDC on release from the plan after completing the last requirement  Aug. 5.

Despite the CDC’s citation, the department said it had been conducting the required staff suitability assessments since the regulation took effect in 2013. The department said the issue involved not having all the assessment guidelines incorporated into the lab’s security procedure manuals. The manuals have all since been updated, the department said.

Read USA TODAY's full investigation of safety and security issues at labs nationwide: biolabs.usatoday.com

Follow USA TODAY investigative reporter Alison Young on Twitter: @alisonannyoung

Featured Weekly Ad