NIH’s flagship precision medicine program faces cybersecurity gaps, OIG warns

The National Institutes of Health’s All of Us Research Program, a cornerstone of the federal precision-medicine effort and one of the largest biomedical data collections in U.S. history, has not implemented key safeguards needed to protect sensitive participant information, according to a new federal audit from the HHS Office of Inspector General (OIG)

The findings raise fresh concerns about how NIH and its award recipients are managing the growing national-security risks associated with genomic data, particularly as the program continues to scale past 1.4 million registrants and amass hundreds of thousands of biosamples, electronic health records, and full genome sequences.

The 25-page report examines whether NIH ensured that the program’s Data and Research Center (DRC)—a major contractor responsible for storing, managing, and providing researcher access to All of Us data—properly limited who could see sensitive information, followed required cybersecurity controls, and fixed problems on time. OIG says NIH fell short on all three fronts.

Researchers could Access data abroad without required approval

At issue is how the DRC governs access to the systems used by its own internal staff and by external researchers working with controlled datasets.

Under the DRC’s existing policies, employees who need to log in while traveling abroad are supposed to obtain prior authorization by submitting travel details and receiving clearance from security personnel. But OIG found that the systems did not actually block access for users who failed to complete that process. Instead, staff members logging in from outside the United States saw only a warning pop-up—and could proceed without interruption.

According to the report, this creates blind spots: security staff cannot reliably distinguish approved foreign access from unapproved attempts, limiting their ability to assess potential risk tied to a user’s physical location.

NIH told OIG it has since strengthened controls for privileged internal users, including new alerts and requirements for advance notice when traveling internationally. But the watchdog noted that system-level restrictions were not in place at the time of the audit.

Sensitive participant data could be downloaded despite explicit prohibitions

A second major finding involves the DRC Researcher Workbench, the cloud-based portal that enables approved scientists to analyze de-identified clinical, survey, wearable, and genomic datasets.

Program policy clearly states that researchers are not permitted to download detailed participant-level data. Yet OIG investigators were able to initiate a download themselves, bypassing the restriction simply by checking a box confirming they understood the policy.

The DRC acknowledged that its systems could not automatically distinguish between non-sensitive outputs and sensitive participant-level data, preventing them from enforcing a hard ban on downloads. Instead, the system relies on warnings and post-hoc monitoring to enforce compliance.

NIH, in its response, said the program has put in place “compensating controls”—including monitoring tools to track the volume and nature of exported data—but maintained that researchers sometimes need to download analysis results for publication.

Still, OIG warned that allowing any pathway for downloading detailed records increases the risk that genomic or health data could be misused if a credentialed user intentionally or unintentionally exposes it to unauthorized parties.

Genomic data classified as “moderate risk” despite national security warnings

A striking section of the report highlights a disconnect between NIH and the HHS Office of National Security (ONS)—which has repeatedly warned federal agencies that genomic data presents national-security and economic vulnerabilities, particularly if accessed by foreign adversaries.

Despite these alerts, NIH and the DRC jointly categorized All of Us systems as “moderate risk”, using standards defined by the National Institute of Standards and Technology. ONS, however, considers systems containing genomic information to be “high risk,” requiring more stringent cybersecurity and privacy controls.

The DRC told auditors it was unaware of ONS’s position until OIG’s site visit in 2024. NIH acknowledged that it had not communicated those national-security concerns to the award recipient.

Because of this misalignment, the DRC did not implement the full suite of controls required for high-risk systems—measures that OIG says are necessary given the sensitivity and potential misuse of genomic data.

NIH now says it will reassess the system’s risk level during its next formal authorization process in 2026.

Security weaknesses were not fixed within required deadlines

OIG also found that the DRC routinely resolved cybersecurity and privacy issues more slowly than required under its award agreement.

NIH’s contract mandates strict remediation windows—15 days for critical issues, 30 days for high-severity, 90 days for moderate, and one year for low. But the DRC used its own, more lenient timelines in internal system security plans, effectively doubling or tripling the allowed time for some weaknesses.

While the contractor did eventually fix or obtain waivers for outstanding issues, OIG said the lag increased the window of opportunity for exploitation by threat actors.

NIH stated that it has now updated its documentation to reflect the faster, federally required remediation timelines.

NIH Agrees to All Recommendations

The audit includes five recommendations for NIH, all of which the agency accepted. They include:

• enforcing stricter access controls for staff working abroad
• implementing a technical or compensating control to prevent downloads of restricted data
• formally communicating national-security risks associated with genomic data
• reevaluating the DRC’s system risk categorization
• revising documentation to align with required remediation timelines

NIH says it has already taken several corrective steps, including restricting access to controlled-access repositories from institutions located in countries of concern and improving monitoring for high-risk user behavior.

Open science vs. data security

The All of Us program is positioned as a landmark effort to diversify biomedical data and accelerate scientific discovery and has long emphasized broad, responsible data sharing. The researcher portal is central to its value proposition, enabling thousands of scientists to explore patterns across genomics, EHRs, and environmental data.

But as the dataset grows, so does the risk calculus. Genomic information is inherently identifying, difficult to fully anonymize, and of increasing strategic interest to foreign governments and corporations.

The OIG report underscores that NIH must navigate a narrowing path: maintaining openness in service of scientific advancement while imposing constraints strong enough to safeguard some of the most sensitive health information ever collected at scale.

For now, the agency says it is strengthening oversight and revisiting its security posture—but the audit makes clear that those changes did not come soon enough.