Company Secrets at Risk in FDA

Medical Device & Diagnostic Industry Magazine
MDDI Article Index

Originally Published MDDI October 2005

Washington Wrap-Up

Sources say that CDRH management is lax about information security, which may jeopardize the privacy of proprietary data.

By James G. Dickinson

Whistleblowers say CDRH does not always properly safeguard trade secrets and other proprietary data. Sources within CDRH who have been guaranteed anonymity leaked this inside information.

CDRH is the only FDA center with a documented case of proprietary information leakage. In 1995, a CDRH staffer leaked data from Visx Inc. to rival firm Summit Technology. The current whistleblowers allege that the center continues to harbor management with lax outlooks about information security. Such outlooks directly jeopardize the privacy of sensitive data, the sources say.

For example, last November, CDRH allowed a Chinese delegation into areas of the center before its employees could properly secure proprietary information. The group had been cleared for terrorism links but not for its members' industrial espionage potential. Furthermore, some of the group may have been issued temporary building passes. These passes allowed them access to offices during normal working hours, the sources allege.

The visit's purpose was vaguely described to staff, they say, and this aroused some CDRH employees' suspicion. China is a known producer of counterfeit devices. According to the sources, CDRH staff questioned management's judgment and the lack of safety measures it took for the visit. Their concerns were allegedly not addressed.

The whistleblowers say that this kind of disregard for safeguarding sensitive data is not unusual at CDRH.

A senior CDRH official said that measures were taken to prevent the disclosure of nonpublic information. However, the official did not know specifics.
As another example, in February, CDRH's Office of Science and Engineering Laboratories (OSEL) took an unusual step. It interviewed candidates for a division director position in front of an audience of current employees.
One candidate, Clemson University engineering professor Sarit Bhaduri, appeared to be using an OSEL laptop to give an electronic presentation to promote his candidacy. He referenced proprietary data about devices made by two companies that OSEL was reviewing at the time. The sources allege that OSEL deputy director Subhas Malghan had supported Bhaduri's candidacy.

OSEL staff members were reportedly very disturbed by what they saw. Some complained to the HHS Office of the Inspector General (OIG) and to the government-wide Office of the Special Counsel. OIG stopped its efforts after it found Bhaduri's presentation had been deleted. The Office of the Special Counsel reportedly directed CDRH not to hire Bhaduri.

Neither Bhaduri nor anyone in FDA would comment on the charges. However, sources allege that unsuccessful efforts to find and intimidate the complainants were made.

Why did the OIG's investigation of the CDRH staffers' complaints stop when the suspect presentation was not found on the OSEL computer? The whistleblowers say they can't understand why OIG doesn't seem to know that files deleted from computers can still be recovered and restored. Willful release of proprietary data by an FDA worker is potentially a criminal matter, they say. OIG should have taken the laptop for specialized testing and pursued the matter forcefully.

Why doesn't anyone deal with such problems? Center management is suspect. It was also suspect in the case of the Visx leak and other alleged CDRH scandals (e.g., Myo-Tronics, TMJ Implants, Utah Medical Products). Other centers have not been known to have encountered these kinds of problems.

The sources can explain this, too. “There is a good old boy or girl network within CDRH,” says one. “Because of past transgressions known to others within this network, serious matters are repeatedly ignored for fear of one manager outing another.” Indeed, supervisory staff involved in all of the foregoing remains at the agency today, apparently unharmed by their adventures. With the exception of the Myo-Tronics case in 1995, no disciplinary actions are known to have occurred.

A senior CDRH officer reviewed this information. He said that a distinction should be made between the intentional and inadvertent release of nonpublic information. In the latter case, he said, “there are usually so many people involved, generally administrative and clerical staff, that it is impossible to identify a wrongdoer. For example, a nonpublic document is accidentally picked up and put into an envelope intended for another document and mailed. Or, a letter to one company gets caught under a paper clip of a document going to another company.

“To the best of my knowledge, the release of nonpublic information has never been promoted, condoned, or excused. I do know that the protection of nondisclosable information is taken extremely seriously within the center at all levels. However, human error has a way of intervening at the most inconvenient times and circumstances.”

No FDA official would respond for the record to the report on the sources' allegations, which was shared ahead of publication with FDA commissioner Lester Crawford, CDRH director Daniel Schultz, and Malghan. However, OSEL director Larry Kessler sent an internal e-mail to all 180 OSEL workers. In it, he said he wanted to assure them “that we have investigated this situation independently and found no basis for any misconduct. Specifically, the report targets Deputy Director Subhas Malghan. I personally have the highest regard for the integrity of Dr. Malghan. The lack of response by FDA reflects our contempt for this kind of reporting and is, in a sense, a show of support from the entire center. I have personally spoken to Dr. Schultz, who has in turn spoken with Subhas, and expressed his 100% support for him and for OSEL.”

This begs the question raised by the whistleblowers. Is protected information safe inside CDRH? Management says it is and admits having contempt for inside allegations to the contrary.

Grassley Seeks New Device Surveillance

Senate Finance Committee chairman Chuck Grassley (R–IA) wants FDA to reexamine its regulations and procedures for device surveillance. He has asked commissioner Lester Crawford whether the agency is planning to do so. His query responds to a July 20 New England Journal of Medicine article detailing the death of a college student who had a Guidant Ventak Prizm 2 DR implanted cardioverter-defibrillator (ICD) that failed.

Grassley said a statement in the journal article concerned him. It reported that for more than three years, Guidant kept quiet about the grave malfunctions of some of its ICDs. The article also said that Guidant “continued to sell defective devices after it made the manufacturing changes to fix the defects.”

He had earlier asked for details from FDA about the device involved in the death reported in the article. He asked why vital device performance data reported to FDA by device makers was not publicly available. Specifically, he wondered why this was true for pacemakers and defibrillators.

Grassley also referred to a new Institute of Medicine (IoM) report on pediatric use of medical devices. It said that FDA is not properly monitoring postmarket studies and not making postmarket research available to the public.

“It is the shared responsibility of the medical device industry, FDA, the medical community, and Congress to address the safety issues associated with medical devices,” Grassley wrote. He asked Crawford to describe what action FDA will take to address the IoM report and the safety of devices in general.

In addition, he asked Crawford to supply the Senate Finance Committee with a detailed briefing on the Guidant device's regulatory history. He would also like to see a status report on all investigations associated with the student's death.

Public Citizen Threatens Suit over Implants

Public Citizen may sue FDA if it approves silicone gel breast implants, said Sidney Wolfe, director of the Public Citizen Health Research Group, at a Washington news conference held in August. If FDA approves the implants before firms have provided ample long-term safety data, she said, Public Citizen “will seriously consider filing a lawsuit.” The lawsuit will “challenge what plainly would be an unlawful, arbitrary, and capricious agency action. The dangerous doctrine of approve now, test later must be firmly rejected.”

Wolfe noted that former FDA commissioner Mark McClellan rejected approving such implants in December 2003. He said that implant manufacturer Inamed had not shown reasonable assurance of safety, owing to the lack of long-term data. Implant makers, said Wolfe, have not even provided five years of reliable data, much less the 10 years or more that is needed.

McClellan issued a guidance telling companies what was needed to show safety, stressing the need for long-term data. However, in the spring of 2004, two firms submitted new applications. FDA staff reviewed the new applications and found them to be deficient because no long-term data on breakage was provided.

“As one of his first acts in his new post, commissioner Crawford has proposed to overturn the decision of his predecessor as well as 13 years of FDA precedent,” said Wolfe. Approving breast implants on the theory that FDA can grant the approval now, without ample data, and get the data later turns the statute on its head, Wolfe continued.

FDA Cites bioMerieux over GMPs

A Center for Biologics Evaluation and Research (CBER) inspection at bioMerieux revealed major deviations from CGMP requirements. The March inspection of the company's Durham, NC, manufacturing facility for in vitro diagnostic devices resulted in a July 29 warning letter. The letter said the deviations included:

• Failing to establish and maintain procedures for implementing corrective and preventive action. This includes requirements for investigating the cause of nonconformities and identifying actions needed to correct and prevent recurrence of nonconforming product and other quality problems.

• Failing to establish and maintain procedures to control products that do not conform to specified requirements.

• Failing to establish and maintain procedures for receiving, reviewing, and evaluating complaints by a formally designated unit to ensure that complaints are processed in a timely manner.

• Failing to establish and maintain adequate acceptance procedures for incoming and in-process products.

• Failing to validate processes with a high degree of assurance and approve the validation according to established procedures.

• Failing to establish and maintain procedures to adequately control environmental conditions that could reasonably be expected to have an adverse effect on product quality.

• Failing to establish and maintain procedures for the control of storage areas and stockrooms for product to prevent mix-ups.

• Failing to maintain complete device history records.

CBER acknowledged a written company response to the FDA-483 observations. However, the center said the response did not provide enough detail to fully assess the adequacy of the company's corrective actions.

The warning letter said the company should notify CBER of steps that have been or will be taken to correct the noted violations and prevent their recurrence.

More QSR Problems for Boston Scientific

An April inspection at Boston Scientific's Glen Falls, NY, manufacturing facility turned up violations of the quality system regulation (QSR) requirements. FDA found violations in the manufacture of low-profile Vaxcel implant chest parts with PASV valves, mini and standard Vaxcel implant chest parts with PASV valves, introducers and sheaths, and Vaxcel PASV 4.5F PICC catheters. The agency sent the firm a warning letter on August 1 detailing the problems.

Earlier, a warning letter described regulatory problems with the Vaxcel low-profile infusion ports at the firm's Watertown, MA, facility. At that time, FDA said the violations “may be symptomatic of serious underlying problems in [the] establishment's quality system.”

The August warning letter outlined the following QSR violations:

• Procedures are inadequate to prevent the acceptance of out-of-specification products.

• In-process tests that are used for final approval lack validation.

• Acceptance and rejection procedures have not been established or implemented for finished lots of Vaxcel low-profile, mini, and standard chest parts with PASV valves, or for Vaxcel PASV PICCs.

• The device history records fail to always include complete acceptance records that demonstrate the device is manufactured in accordance with its device master record.

• Complaints about possible failure of devices to meet specifications are not always thoroughly investigated when necessary.

• Records of complaint investigations do not always include the full device identifications, including the control numbers.

New York district director Jerome Woyshner said he had received the firm's response to the FDA-483 issued after the inspection. He said the letter indicated that most promised corrections constitute work in progress. Also, he said, several responses provide little detail on how the company will achieve the desired corrections.

Woyshner also cautioned that such serious violations could lead to FDA taking regulatory action without further notice. Such action could include seizing product inventory, obtaining a court injunction against further marketing of the products, or civil monetary penalties.

Sharps Injury Prevention Guidance

FDA has published a guidance for industry and FDA staff called Medical Devices with Sharps Injury Prevention Features. It aims to assist industry in preparing premarket notification submissions for devices that have a feature designed to prevent sharps-related injuries. FDA said the guidance pertains only to the sharps injury prevention features and does not provide advice for the devices.
Some sharps injury prevention features are included as integrated parts of finished devices, the guidance said. Others are marketed separately as accessories that the user attaches to a device at the point of use.

Typically, devices with such features are Class 2 devices subject to QSR requirements, including design controls. Design recommendations related to function and human factors engineering are included in the guidance. The recommendations are intended to help firms address the need for sharps devices that will protect user safety.

To download the guidance, visit www.fda.gov/cdrh/ode/guidance/
934.html.

Panel Urges Nondetectable Injector Contamination

An FDA panel says that contamination levels should be nondetectable to effectively demonstrate that multiple-use nozzle jet injectors (MUNJI) are safe. The General Hospital and Personal Use Devices Panel met in August to make a recommendation to FDA on methods to assess the potential for disease transmission by MUNJI. The devices are jet injectors in which the fluid path for an injection is used more than once.

The panel said some testing methods could potentially assess whether a device is safe under the conditions for use. However, any such studies, such as a fluorescein test, would have to be validated. Only then could FDA use the study data from a sponsor or include the test in a guidance.

The determination of contaminant levels should be based on the most sensitive test methods currently available, the panel said.

Copyright ©2005 Medical Device & Diagnostic Industry