Who Dumped Medical Device Trade Secrets in Cyberspace?

This week's Trivia Tuesday question takes us back to a time when things at FDA were a bit messy, to say the least. In 2012 – just four years after The FDA Nine penned its infamous whistleblower letter – the agency accidentally dumped medical device company trade secrets onto the Internet where anybody could see them. More than 80,000 pages of sensitive documents were posted online.

The blunder was discovered inadvertently by an FDA researcher whose e-mails were monitored by the agency. And the exposure of this information lasted, supposedly, only a couple of days —until The New York Times began to inquire about it.

FDA's investigation of its employees in 2010 had evolved into a campaign to counter the claims of those critical of its medical review process.

The agency explained that while it was preparing its defense to a whistleblower lawsuit filed by former Center for Devices and Radiological Health (CDRH) employees, it outsourced the copying of documents requested by plaintiffs as part of their “discovery” rights to Fulton, MD-based Quality Associates.

Quality Associates proceeded to post thousands of pages of documents related to FDA’s internal email monitoring, including classified company data, on a publicly accessible file transfer site. How this happened remains unclear, but it was presumably an accident. The leaked documents detailed both the agency's investigation into whistleblowing by some of its own employees and other proprietary information related to several medical devices.

The leak was discovered by one of the dissident former CDRH researchers whose e-mails were being monitored. The individual reportedly used Google to search for scientists involved in the case to check for negative publicity that might hinder chances of finding work. Within minutes, the researcher stumbled upon the database.

“I couldn’t believe what I was seeing,” the researcher told the Times. “I thought: ‘Oh my God, everything is out there. It’s all about us.’ It was just outrageous.”

The irony of the story is that the tech-savvy director of CDRH at the time, Jeffrey Shuren, allegedly installed the spyware on CDRH employees' computers to prevent trade secrets being leaked. And it was that use of spyware that triggered the lawsuit against FDA in the first place. So, if it weren't for the spyware, there wouldn't have been a lawsuit. And if it weren't for that lawsuit, the agency would not have needed to outsource that task to a contractor that then accidentally dropped those sensitive documents online.

“These documents contain legally protected information, and we have initiated an investigation to determine how this occurred," FDA said in a statement. "The agency was made aware of the data breach after an inquiry from the New York Times on [July 13, 2012]. The documents have since been removed and are not publicly releasable. The FDA is looking into this matter.”

Shortly after the incident, U.S. Special Counsel Carolyn Lerner issued guidelines for all federal agencies about monitoring employee e-mail and other communications. The guidelines said that although lawful monitoring of employee communications serves legitimate purposes, federal law protects the ability of workers to exercise their legal right to disclose wrongdoing without fear of retaliation.

Check back next week for a new Trivia Tuesday question on our home page and test your knowledge about the medical device and diagnostics industry!