Security Lapses Discovered at CDC Bioterror Lab
A federal bioterror laboratory already under investigation by Congress for safety issues has had repeated incidents of security doors left unlocked to an area where experiments occur with dangerous germs, according to internal agency e-mails obtained by USA TODAY. In one incident, an unauthorized employee was discovered inside a restricted area.
According to an article from USA TODAY, Centers for Disease Control and Prevention spokesman says the unsecured door incidents in 2010 and 2009 inside its Emerging Infectious Diseases Laboratory in Atlanta were "not an acceptable practice of the agency." At no time, though, were bioterror organisms such as anthrax at risk of falling into the wrong hands, he said.
"The doors in question here are but one layer of multiple layers of security when it comes to both the animals and the agents that are worked on," CDC spokesman Tom Skinner said in the article. "The security measures we have in place, without going into detail, make it close to impossible for anyone who doesn't have approved access to the agents to get their hands on them."
The e-mails document doors being left unlocked in the building's high-containment lab block, which includes an animal-holding area and Biosafety Level 3 labs where experiments are done on microbes that can cause serious or potentially fatal diseases and can be spread through the air, the article says. Anthrax, monkeypox, dangerous strains of influenza and the SARS virus are examples.
One e-mail by a CDC safety manager describes an unauthorized man discovered in the animal-holding area and multiple doors that were unsecured at the time, the article states. Skinner says the man was a CDC scientist but was not immediately able to provide further details about why he was in the restricted area. Skinner said the man was in an outer corridor of the BSL-3 suite of labs.
For safety and security, access to BSL-3 labs is restricted, and they are supposed to have special airflow systems designed to help keep organisms inside. Problems with the airflow systems revealed by USA TODAY, including a February incident where air briefly blew out of a lab into a "clean" hallway, prompted the House Energy and Commerce Committee this week to launch a bipartisan investigation into safety issues. The committee is examining whether CDC — which inspects its own labs along with others nationwide that handle bioterror agents — is complying with federal safety requirements at the lab building, also known as CDC Building 18.
According to USA TODAY,e-mails written by CDC Safety and Occupational Health manager Patrick Stockton indicate the lab has had security lapses that Rutgers University biosafety expert Richard Ebright said may be a "major violation" of security standards for labs that work with potential bioterror agents.
In a November 2009 e-mail, Stockton wrote to several CDC officials involved with Building 18's high-containment laboratory area: "We are continuing to have some difficulties with doors remaining unsecured in the (high-containment lab) area. … If we continue to have issues, we will need to begin looking at individual access rights for these doors." The particular issue involved expansion sections of the doors, used to accommodate large pieces of equipment. The "through-bolts are not being re-engaged, and the doors are remaining unsecured," Stockton wrote, as reported in the article.
Five months later, the expansion doors continued to be left unlatched and unsecured, the article says. According to an April 29, 2010, e-mail to more than a dozen CDC officials involved with the lab building, Stockton wrote that earlier that day "an individual with no access and no escort" was found in the research animal-holding area of the high-containment lab area.
The e-mail continued: "He did not have access and at this point we are not sure how he got there." Stockton wrote that he talked to program and animal staff and "no one from their programs let this person in." CDC's Office of Security and Emergency Preparedness, which is a liaison to the Department of Homeland Security, was investigating, the e-mail said. Homeland Security officials did not respond to questions about the CDC security incidents.
Stockton's e-mail says that after the incident he and the building's high-containment lab manager, Anthony Sanchez, walked the entire high-containment block and found two doors unsecured. "This can certainly happen by mistake on occasion but we have addressed this issue in the past and now it seems to be a common failure point. … It is imperative that all doors leading to high containment remain secured," Stockton wrote.
Stockton and Sanchez didn't grant interviews, USA TODAY reports. CDC spokesman Skinner said: "Doors being left open by staff is not a standard practice. It's unacceptable, and our safety office has sent out numerous reminders to staff of the importance of staff practicing good physical security."
Skinner said he is unaware of any other door security incidents after the one in April 2010. He emphasized that multiple layers of security in the building would have prevented any unauthorized person from accessing germs that hold the potential to be used as bioterror weapons. "The bottom line is, worker safety and the public safety were never compromised," he said.
Ebright, of Rutgers University, expressed concern about the repeated issues revealed in news reports about Building 18 since the $214 million building opened in 2005, including articles in 2007 about backup generators that failed to keep airflow systems working during a power outage, and in 2008 about a high-containment lab door that the CDC sealed with duct tape after an incident where an airflow system malfunctioned and sent potentially contaminated air into a "clean" corridor, the article says.
The "documents you have obtained over the past several years make it clear that there has been a pattern of corner-cutting and negligence at CDC biocontainment facilities —starting with the failure to include provisions for emergency backup power, and encompassing inadequate door seals, improper airflow, jury-rigged repairs, and unsecured access points," Ebright said in the article.
If the security issues described in Stockton's 2010 e-mail continue and bioterror agents are being used in that area, Ebright said, "then heads should fall."
The CDC currently is responsible for inspecting the safety and security of its labs that work with bioterror agents. Skinner said CDC has a 66-year record of operating its labs safely, the article reports.
The CDC said this week, in the wake of USA TODAY's reports, that it is considering having its labs' safety reviewed by an outside agency, such as the U.S. Army Medical Research Institute for Infectious Diseases (USAMRIID).
Biosafety and biosecurity concerns have been the subject of previous congressional concerns. A 2009 report by the U.S. Government Accountability Office, the investigative arm of Congress, examined the potential risks posed by the growing number of high-containment labs doing research on potential bioterror agents, according to the USA TODAY article. It found that while lab accidents are rare, they do occur, primarily because of human error and systems failures.
It also noted that insiders working in the labs can pose risks, pointing to the Federal Bureau of Investigation's allegation that Bruce Ivins, a scientist at USAMRIID in Fort Detrick, Md., was the "sole culprit" in the 2001 anthrax attacks. While he was under investigation in 2008, Ivins died of a drug overdose.
"There are arguably two aspects to insider risk: the motive of the insider and the ability to misuse material and laboratory facilities," the GAO wrote in its report.