An HHS-OIG audit found gaps in privacy and security controls within the All of Us Research Program that could expose participant data.
The Department of Health and Human Services Office of Inspector General released findings from a 2024 audit of the NIH All of Us Research Program, identifying weaknesses in access controls and security safeguards at the Data and Research Center, operated by Vanderbilt University Medical Center. The audit concluded that existing controls were not enough to protect health and genomic data belonging to more than one million participants.
The All of Us Research Program, created under the Precision Medicine Initiative, maintains a large research database used by approved scientists to study a range of health conditions. While the Data and Research Center had implemented vulnerability scanning, monitoring, incident response, and contingency planning, the audit found that several safeguards did not meet federal requirements.
Users approved for remote access from foreign countries were not restricted to those specific locations, meaning any authorized user could access the environment internationally. The audit also found that although downloading detailed participant data is prohibited, the systems lacked a technical mechanism to enforce that prohibition.
In addition, the DRC did not escalate certain national security concerns linked to genomic data management and did not resolve previously identified weaknesses within NIH’s required remediation timeframe. These issues increased the risk that participant information could be accessed or misused by unauthorized individuals, including foreign adversaries.
HHS-OIG reported that incomplete enforcement of remote access controls and insufficient data-download protections created avoidable exposure risks. The audit also noted gaps in communication between the DRC and NIH, particularly around national security considerations.
NIH agreed with all five recommendations issued by HHS-OIG. It has already implemented additional remote access protections and has blocked access from several countries of concern, including China, Cuba, Iran, Russia, and North Korea.
Federal oversight bodies have repeatedly warned that large biomedical and genomic datasets are prime targets for cyber espionage. The U.S. Government Accountability Office has reported that agencies handling genomic and high-value health data must strengthen identity verification, restrict foreign access pathways, and consistently enforce remediation timelines to reduce exposure to nation-state threats. These concerns continue to shape policy discussions surrounding national biomedical research infrastructure.
It provides permanent, unchangeable information about a person’s health predispositions, ancestry, and familial connections, making it valuable to both researchers and malicious actors.
Without strict technical safeguards, unauthorized users can remotely access sensitive data or extract information despite policy-level restrictions.
They must meet federal information security standards, remediate vulnerabilities within required timeframes, and report relevant national security concerns to NIH.
They contain vast amounts of health and genomic data that can be exploited for intelligence purposes, population-level analysis, or economic advantage.
Stronger remote access verification, enforced download restrictions, better oversight of external access attempts, and automated tracking of vulnerability remediation.