Leo Scanlon, deputy chief information security officer at HHS, who has been placed on leave for 150 days, refutes recent claims he and his colleague Maggie Amato are under investigation for ethics violations. The allegations revolve around the Healthcare Cybersecurity and Communications Integration Center, an initiative HHS originally planned to launch in June 2017. The project was delayed and has been put on hold since at least November.
In April 2017, Chris Wlaschin, former chief information security officer at HHS, indicated the agency would open the Health Cybersecurity and Communications Integration Center at initial operating capability in June. He said the collaborative information analysis center was based off the U.S. Department of Homeland Security's National Cybersecurity and Communications Integration Center.
However, in November 2017, Politico reported the cybersecurity center had been stalled amid personnel conflicts. HHS was reportedly investigating possible fraud in contracts signed by Mr. Scanlon and Ms. Amato, an anonymous HHS official told the publication. One allegation claimed the center directed a sole-source contract to a startup with personal connections to Ms. Amato.
In an emailed statement to Becker's Hospital Review March 20, Mr. Scanlon refuted the claims he and Ms. Amato were under investigation. Mr. Scanlon said investigators with the HHS Office of Inspector General told him and his attorney in February "neither Amato nor I were under investigation or had ever been under investigation with regard to the allegations Wlaschin presented to them."
Mr. Scanlon, who Mr. Wlaschin placed on paid administrative leave in September, characterized claims he and Ms. Amato were under investigation as "reckless misrepresentations."
"Yet, in sworn depositions, Wlaschin and [HHS] CIO Beth Killoran both stated that the personnel actions taken against Amato and me were based on an 'OIG investigation,'" Mr. Scanlon said. "The investigators explained [in February] that as with any federal investigative entity, all complaints received by the OIG are reviewed, but a review is not an investigation. Wlaschin has admitted that he was never contacted by OIG or ethics officials after submitting his complaints."
An HHS OIG spokesperson told Becker's Hospital Review the agency could neither confirm nor deny the investigation into Mr. Scanlon or Ms. Amato at this time.
Mr. Scanlon told Becker's Hospital Review he was removed from his position nearly 200 days ago and has been on administrative leave for 150 days. He said his security clearances have been removed, and he cannot access HHS facilities. He argues there was "no legitimate basis for the reassignment of me or Amato, or for placing me on paid administrative leave."
Mr. Scanlon's leave exceeds the legal limit. Current policy limits federal employee administrative leave to 10 work days per calendar year. After this leave expires, agencies may put employees on investigative leave in 30-day increments for up to 90 days total.
Mr. Wlaschin plans to resign at the end of March, for reasons unrelated to the cybersecurity center's challenges, according to Politico.
"The net effect of all of this is that the HCCIC initiative, which played such an important and promising role during the WannaCry [ransomware] incident [in May 2017], has been derailed; the Critical Infrastructure Protection Program of HHS once again lacks a cybersecurity component; and the NH-ISAC [National Health Information Sharing and Analysis Center] has no functioning partner in the agency," Mr. Scanlon said.