CDC bioterror labs cited for security flaws | News

ATLANTA -- Laboratories at the Centers for Disease Control and Prevention have been
repeatedly cited in private government audits for failing to properly
secure potential bioterror agents such as anthrax and plague, and not
training employees who work with them, according to "restricted"
government watchdog reports obtained by USA TODAY.

"These weaknesses could have compromised [CDC's] ability to safeguard
select agents from accidental or intentional loss and to ensure the
safety of individuals," according to a 2010 report by the Department of Health and Human Services' inspector general.

The IG probed federal lab security after a scientist at an Army lab was
implicated in the anthrax attacks in 2001. The IG also noted problems
with CDC lab security in reports from 2009 and 2008.

The reports - which are prompting concern among some key members of
Congress - offer a rare window into the CDC's performance on safety and
security issues when working with the world's most dangerous pathogens.

The
CDC is the main federal agency that oversees government and private
bioterror lab safety involving agents dangerous to people, but it
refuses to release copies of its lab inspection reports. The IG's office
released its reports to USA TODAY in response to a Freedom of
Information Act request.

CDC officials said nobody was endangered
because their labs have redundant layers of safety and security to
protect employees and the public. When issues arise, they are fixed
immediately, said Joseph Henderson, director of the CDC's Office of
Safety, Security and Asset Management. "We always take it seriously," he
said. "We strive for perfection."

The issues cited in the IG
reports are "troubling," said U.S. Rep. Fred Upton, chairman of the
House Committee on Energy and Commerce. His committee has been examining
federal regulation of bioterror labs in the wake of USA TODAY reports
last summer about incidents at CDC labs in Atlanta of security doors left unlocked and issues with airflow systems that help prevent the release of infectious agents. The newspaper's
earlier reports, which involved incidents in 2009-2012, were based on
leaked internal e-mails and other records.

The IG reports were heavily redacted by government officials
because they contain "restricted, sensitive information." Still Upton,
R-Mich., said they "show the need for better scrutiny over the handling
of select agents ... and we intend to immediately look into the issues
raised."

The reports also concerned U.S. Rep. Henry Waxman of
California, the ranking Democrat on the committee. He said, "There
appears to be long-standing and recurring problems at CDC's labs which
underscore the need to increase oversight and to ensure that appropriate
action is taken to correct these problems permanently."

The issues cited in the IG's audits include:

* Failing to ensure the physical security of bioterror agents or restrict
access to approved individuals. The 2009 report cites coding on
electronic cards that allowed overly broad access to approved workers,
allowing them wide access to all bioterror research areas, rather than
just the specific areas or specimen freezers for their projects. Most of
the details in the 2010 report were redacted.

* Failing to ensure that those working with and around potential bioterror
agents have received required training. The 2010 report says auditors
couldn't verify that 10 of 30 employees sampled had the required
training. The 2009 report says the labs "did not provide biosafety and
security training to 88 of 168 approved individuals" before they were
given access to work areas for bioterror agents.

* Not ensuring that only approved individuals accepted packages containing
potential bioterror agents arriving from other outside labs. The 2010
audit identified six unapproved people - five from a delivery contractor
and one security guard - who received and signed for the packages. The
2008 report, which focused on security of arriving packages, also
identified issues.

In 2008, the FBI implicated a microbiologist working at an Army
biodefense lab as being responsible for the anthrax letter attacks,
which killed five and sickened 17. The scientist, Bruce Ivins, took a
fatal overdose of Tylenol while under scrutiny.

It is not clear
which germs or toxins, known as "select agents" in federal regulations,
were involved in the CDC incidents that occurred from 2005 to 2009. Select agents are all dangerous pathogens and include the ebola virus, monkeypox virus, the toxin that causes
botulism and ricin, a deadly poison that made headlines in 2003 after a
potential London terror attack was foiled.

Although the locations of the CDC labs examined by the IG's auditors
were redacted from the reports, Henderson said the 2010 and 2008 audits
involved labs on the CDC's main campus in Atlanta, and the 2009 audit
was of the agency's labs in Fort Collins, Colo.

Rutgers university
biosafety expert Richard Ebright, who reviewed the IG reports at USA
TODAY's request, said the issues cited are significant and repeated.
"There is no evidence of improvement. Some of the same kinds of
violations occurred repeatedly over the three-year review period," he
said. "It is ironic that the institution that sets U.S. standards for
safety and security of work with human pathogens fails to meet its own
standards."

In the wake of
USA TODAY's reports last June and concerns about the CDC policing
itself, the CDC agreed last August to have its labs inspected by
bioterror lab experts from the U.S. Department of Agriculture. The USDA
has inspected CDC labs twice, said CDC spokesman Tom Skinner, and
inspections will occur every 12 to 18 months.

The CDC would not
share copies of its most recent inspection reports, saying it is agency
policy not to release them for security reasons. Yet to document that
CDC had corrected airflow issues at its Emerging Infectious Diseases
Laboratory in Atlanta, the agency on Friday provided USA TODAY a copy of an external lab safety review done at the CDC's request by biosafety experts from Canada's public health
agency. The Canadian review at the $214 million 11-story lab complex
known as Building 18, says it found no issues of "non-compliance" that
pose health and safety risks.

The CDC has not responded to USA TODAY's FOIA requests filed eight
months ago for copies of its inspection reports for Building 18's labs,
nor has it responded to requests for documents about the building's lab
security and airflow incidents.