WASHINGTON – U.S. Sens. Mark R. Warner and Tim Kaine (both D-VA) today applauded $1,197,247 in rural development funding to further telemedicine at the University of Virginia, George Mason University, VCU Health’s Community Memorial Hospital in Mecklenburg County, Va. and the Appalachian Agency for Senior Citizens in Tazewell County, Va. This funding was awarded through the U.S. Department of Agriculture (USDA)’s Distance Learning and Telemedicine grant program.

“Telehealth services have the power to decrease travel time and increase access to specialized health care in some of Virginia’s most underserved communities,” said the Senators. “We are thrilled to see these grants go to boosting telemedicine services and provider training at the University of Virginia, George Mason University, VCU’s Community Memorial Hospital, and the Appalachian Agency for Senior Citizens.”

The funding will be awarded as below:

• $154,600 for the Appalachian Agency for Senior Citizens to provide telemedicine services to low-income elderly and disabled individuals who will attend the adult day care facility located in Falls Mills. The facility will provide medical care, nutrition services, and day care and care coordination, while also providing economic development for the community and educational opportunities for the public. This rural investment will benefit approximately 25,000 residents at nine sites across a four-county area.
• $397,668 for the University of Virginia to enable the Rector and Visitors Center to implement the Virginia Telemedicine Network for Cardio-metabolic disease, Opioid Use Disorder, Ophthalmology, Black Lung Disease and Cancer. The University of Virginia Health System (UVAHS) will serve as the hub site to deliver health care services and training to 19 community health care providers in 12 counties, including federally qualified health centers (FQHC) and free clinics that serve economically distressed regions of Virginia. This project will reach 750,000 rural residents.
• $500,000 for George Mason University to implement a telemedicine project to provide training of medical professionals in the area of opioid dependency and treatment. This program will serve a population of almost 177,000 residents across Virginia and West Virginia.
• $144,979 for Community Memorial Hospital to create the Rural Center for Integrated Telemedicine. This center will provide medical services via interactive video conferencing equipment, to four sites in Mecklenburg County, Virginia, and will benefit approximately 11,000 residents.

The USDA’s Distance Learning and Telemedicine program helps rural communities use the unique capabilities of telecommunications to connect to each other and to the world, overcoming the effects of remoteness and low population density. Applicants eligible for Distance Learning and Telemedicine grants include most State and local governmental entities, federally-recognized tribes, nonprofits, for-profit businesses and consortia of eligible entities.

Sens. Warner and Kaine have been strong advocates for rural communities and health care access in the Commonwealth. Last year, the Senators saw through the passage of the Opioid Crisis Response Act of 2018, which included a provision by Sen. Warner to expand telehealth services for substance abuse treatment. Additionally, Sen. Warner introduced legislation – cosponsored by Sen. Kaine – last month to expand telehealth services through Medicare, make it easier for patients to connect with their doctors, and help cut costs for patients and providers. Sen. Kaine also introduced legislation to expand health care to rural areas through telehealth. The bill passed out of the Senate Health, Education, Labor, and Pensions (HELP) Committee in June as part of the Lower Health Care Costs Act of 2019. And in 2003, then-Gov. Warner expanded Medicaid coverage for telemedicine statewide, including evaluation and management visits, a range of individual psychotherapies, the full range of consultations, and some clinical services, including in cardiology and obstetrics.

###

WASHINGTON, DC – U.S. Sen. Mark Warner (D-VA) joined Sen. Gary Peters (D-MI), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, and 43 of his colleagues in sending a letter requesting that Senate leadership and appropriations conferees include provisions to protect federal employees’ collective bargaining rights in any appropriations legislation Congress passes.

“Robust labor unions are a hallmark of competitive workplaces – they lead the fight for better benefits, protections, and working conditions. The Trump Administration’s anti-union agenda undermines the government’s ability to attract talented workers and demoralizes workers currently in public service” wrote the Senators. “At a time when the right to unionize in both the public and private sectors is increasingly under attack, we must affirm our support for workers and labor rights.”

Earlier this year, the House passed the FY2020 Financial Services and General Government appropriations bill with a provision to prevent agencies from implementing any labor agreement that has not been agreed to by all parties or was not the result of binding arbitration. This provision restores the collective bargaining process and requires agencies to return to the bargaining table to engage in good-faith negotiations. Without this protection, unions will be locked into unreasonable and unfair contracts for the foreseeable future.

Hardworking families in Michigan and across the country rely on labor unions to fight for better opportunities and help prevent unfair contracts. Over the past two years, the Trump Administration has taken actions that undermine federal labor-management relations, including issuing Executive Orders that drastically reduce official time, restrict collective bargaining and obstruct the union grievance process. Some agencies have refused to negotiate altogether, including the Environmental Protection Agency, which forced a seven-year contract on employees over union objections in July.

Peters was joined in requesting the provisions by U.S. Senators Doug Jones (D-AL), Kyrsten Sinema (D-AZ), Dianne Feinstein (D-CA), Kamala D. Harris (D-CA), Michael Bennet (D-CO), Richard Blumenthal (D-CT), Chris Murphy (D-CT), Tom Carper (D-DE), Mazie K. Hirono (D-HI), Brian Schatz (D-HI), Tammy Duckworth (D-IL), Dick Durbin (D-IL), Edward J. Markey (D-MA), Elizabeth Warren (D-MA), Ben Cardin (D-MD), Chris Van Hollen (D-MD), Angus King (I-ME), Debbie Stabenow (D-MI), Amy Klobuchar (D-MN), Tina Smith (D-MN), Jon Tester (D-MT), Maggie Hassan (D-NH), Jeanne Shaheen (D-NH), Cory Booker (D-NJ), Bob Menendez (D-NJ), Martin Heinrich (D-NM), Tom Udall (D-NM), Catherine Cortez Masto (D-NV), Jacky Rosen (D-NV), Kirsten Gillibrand (D-NY), Sherrod Brown (D-OH), Jeff Merkley (D-OR), Ron Wyden (D-OR), Bob Casey (D-PA), Jack Reed (D-RI), Sheldon Whitehouse (D-RI), Tim Kaine (D-VA), Mark R. Warner (D-VA), Bernie Sanders (I-VT), Maria Cantwell (D-WA), Patty Murray (D-WA), Tammy Baldwin (D-WI), and Joe Manchin (D-WV).

The text of the letter is copied below and available here:

Dear Leader McConnell, Chairman Shelby, Chairman Kennedy, Leader Schumer, Vice Chairman Leahy, and Ranking Member Coons:

As you finalize appropriations legislation for Fiscal Year 2020 (FY 2020) and begin conference discussions with your House counterparts, we respectfully ask that you accede to Section 749 of the House Financial Services and General Government Appropriations Act (H.R.3351), which provides an essential safeguard for federal employees’ collective bargaining rights in response to the Trump Administration’s sustained attacks on the federal workforce.

The Civil Service Reform Act (the Act) of 1978 codified federal employees’ rights to form and join unions and engage in collective bargaining, stating that “labor organizations and collective bargaining in the civil service are in the public interest.” Unfortunately, over the past two years, the Trump Administration has sought to dismantle federal employee rights. In May 2018, President Trump issued three Executive Orders aimed at reducing official time, restricting collective bargaining, and obstructing the union grievance process. After an initial District Court ruling enjoining many of the Executive Order provisions, the D.C. Circuit Court overruled the decision, holding that unions must first exhaust administrative remedies through the Federal Labor Relations Authority (FLRA). The Circuit Court denied a request to rehear the case, and the District Court’s injunction on the Executive Orders expired on October 2, 2019, leaving agencies free to implement the contested provisions.

Even before the injunction expired, OPM guidance encouraged agencies to bargain for proposals similar to the enjoined provisions. In order to do so, many agencies have resorted to circumventing the collective bargaining process altogether by engaging in “surface” bargaining – going through the bargaining process without meaningfully participating in negotiations – to reach the Federal Service Impasses Panel (FSIP), where the Trump-appointed panel has disproportionately ruled in favor of management.

Other agencies have refused to negotiate outright. While unions challenged these and other bad-faith bargaining techniques, the Trump Administration has curtailed many of their remedies. For example, there is no General Counsel at FLRA to prosecute unfair labor practice charges. President Trump’s nominee to fill the position is significantly underqualified and has a history of crafting anti-union policies at the Department of Health and Human Services. Therefore, the Circuit Court’s ruling makes it unlikely that federal employee unions will receive meaningful or timely relief from the Trump Administration’s policies.

In June, the House passed its appropriations package with a provision to retroactively block agencies from implementing any collective bargaining agreement that has not been mutually and voluntarily agreed to by all parties, unless it was the result of binding arbitration. This will restore the collective bargaining process and require agencies to return to the bargaining table to engage in good-faith negotiations. Without this protection, unions will be locked into unreasonable and unfair contracts for the foreseeable future. 

These actions are poised to cause long-term damage to the foundations of our civil service. With almost a third of federal workers eligible to retire in the next five years, it is more important than ever that the federal government focus on recruiting and retaining the best employees. Robust labor unions are a hallmark of competitive workplaces – they lead the fight for better benefits, protections, and working conditions. The Trump Administration’s anti-union agenda undermines the government’s ability to attract talented workers and demoralizes workers currently in public service. The Administration’s actions also imperil scientific integrity across agencies – lack of adequate union representation makes it easier for agencies to politicize scientific roles and silence dissenting opinions. 

Furthermore, as the country’s largest unionized employer, the federal government sets the tone for labor-management relations across the country. At a time when the right to unionize in both the public and private sectors is increasingly under attack, we must affirm our support for workers and labor rights. 

We appreciate your attention to this matter. Please do not hesitate to contact us if you have any questions or require additional information.

###

Washington, DC -- Today, Senators Mark Warner (D-VA) and Tim Kaine (D-VA) joined Congresswoman Jennifer Wexton (D-VA) in sending a letter requesting that the National Park Service (NPS) conduct a reconnaissance survey to evaluate the suitability of designating the George C. Marshall House, known as Dodona Manor, in Leesburg as an “affiliated area” under NPS.

“Designating the George C. Marshall House as an affiliated area under NPS would bring increased public interest and awareness of Dodona Manor and would produce additional funds to further assist in its preservation,” said the lawmakers in the letter. “Dodona Manor has a clear historic value to our nation. To honor General Marshall’s life and legacy, it would be fitting for Dodona Manor to become an affiliated area under NPS to ensure its preservation for future generations.”

General Marshall led a lifetime of public service, serving as Chief of Staff to the Army during America’s entry into World War II, as Secretary of State where he orchestrated the historic Marshall Plan to rebuild Europe following the war, and as Secretary of Defense after the onset of the Korean War.

Dodona Manor is currently registered as a National Historic Landmark by the Department of the Interior and has been designated by the Commonwealth of Virginia as a Virginia Landmark.

The Marshall House has been an integral part of the Leesburg community for over two centuries. General Marshall and his wife Katherine purchased the property in 1941 as a weekend retreat house, and regularly spent time at the property throughout General Marshall’s tenure as Secretary of State and Secretary of Defense.

Today, the property hosts international exchanges, historical exhibits, community events, and educational programming about the life and legacy of the Marshall family.

The full text of the letter is available here and below.

November 20, 2019

The Honorable David Vela 
Deputy Director, Operations 
Exercising the Authority of the Director 
National Park Service 
1849 C Street NW 
Washington, DC 20240

Dear Deputy Director Vela:

We write to urge the National Park Service (NPS) to conduct a reconnaissance survey to explore the suitability of designating General George Catlett Marshall’s home and gardens, known as Dodona Manor, located at 217 Edwards Ferry Road in Leesburg, Virginia as an affiliated area under NPS. Dodona Manor has great historical and educational significance and NPS’s designation would help preserve the property for future generations. 

As one of only five individuals to serve the United States as a five-star General of the Army, General George C. Marshall was known for his integrity and selfless service that made him an American visionary and hero. General Marshall’s Dodona Manor is rich in history. General Marshall and his wife Katherine purchased Dodona Manor in 1941 and they lived there during the most important period of General Marshall’s career. The Marshall family owned the House during General Marshall’s tenure as U.S. Army Chief of Staff, Special Envoy to China, Secretary of State, President of the American Red Cross, Secretary of Defense after the onset of the Korean War, and Chairman of the American Battle Monuments Commission. Notably, General Marshall was awarded the Nobel Peace Prize in 1953, the only professional soldier so honored, for his leadership and contributions to the economic recovery of Europe following World War II while living in Dodona Manor.

Dodona Manor is now used to preserve and advance General Marshall’s life’s work and legacy. The Marshall home has been impeccably restored to museum standards with original Marshall furnishing, which accurately displays a picture of how this American hero lived to the public. It also presents in an educational format how the Marshall family dedicated themselves to public service and supports educational programming based on General Marshall’s desire to inspire future leaders. By hosting international exchanges, historical exhibits, and community events, Dodona Manor perpetuates his memory and contributes directly to the character and viability of Leesburg.

General Marshall’s House is currently registered with the Department of the Interior as a National Historic Landmark and has been designated by the Commonwealth of Virginia as a Virginia Landmark. Designating the George C. Marshall House as an affiliated area under NPS would bring increased public interest and awareness of Dodona Manor and would produce additional funds to further assist in its preservation.

 Dodona Manor has a clear historic value to our nation. To honor General Marshall’s life and legacy, it would be fitting for Dodona Manor to become an affiliated area under NPS to ensure its preservation for future generations. Therefore, we would appreciate your consideration of our request to conduct a reconnaissance survey. Thank you for your attention to this matter and we look forward to your response.

Sincerely, 

###

WASHINGTON – U.S. Sens. Mark R. Warner (D-VA) and Chuck Grassley (R-IA) today formally requested an FBI briefing on its investigation into the fatal shooting of Bijan Ghaisar by U.S. Park Police in 2017. The FBI announced the conclusion to its lengthy investigation last week, but did not fully explain its findings, including why the two officers opened fire on Ghaisar.

The senators have long sought transparency into the circumstances surrounding the deadly use of force and the FBI’s review of the case, but the FBI largely declined to provide details at the time, citing an ongoing investigation. Now that the investigation has concluded, the senators are demanding greater clarity to provide needed transparency and preserve the public trust.

“Despite nearly two years of investigating this incident in which considerable FBI resources were used, the Ghaisar family, Congress, and the general public still do not have all the answers.  The FBI needs to provide a full and thorough account of the events that led to Mr. Ghaisar’s untimely death,” the Senators wrote.

In January of 2018, Warner, along with Sen. Tim Kaine (D-VA) and Rep. Don Beyer (D-VA), pushed the FBI for an update on the status of the FBI’s investigation into the fatal 2017 shooting. In October of that year, Warner sent a letter to the head of the National Park Service (NPS) regarding the circumstances under which U.S. Park Police officers engaged with Mr. Ghaisar.

Grassley, then chairman of the Senate Judiciary Committee, contacted the FBI about the investigation in December of 2018. The FBI responded in March with little information, provoking a follow-up letter from Grassley.

In June, Grassley and Warner decried the opaque and drawn-out nature of the review in letters to both the FBI and NPS. The FBI provided a brief response in August, leaving many questions unanswered. In October, NPS provided a partial response, which prompted a follow-up letter from the Senators seeking more information.

Following the recent conclusion of the FBI’s investigation, the senators pledged to seek greater transparency. Full text of the senators’ official request for a briefing follows. A copy of the letter is available here.

November 20, 2019

The Honorable Christopher Wray

Director

Federal Bureau of Investigations

Washington, D.C. 20535

Dear Director Wray:

We write today to request a briefing and a response to Senator Warner’s letter from January 30, 2018, Senator Grassley’s letters from December 17, 2018, and March 22, 2019, and the Senators’ joint letter from June 18, 2019, on the shooting of Bijan Ghaisar.  While the FBI has announced it has concluded its investigation into the shooting of Mr. Ghaisar, the FBI has continuously refused to answer several questions that were raised in the aforementioned letters because the investigation had yet to conclude.  Now that the investigation has concluded, we expect to receive answers to these questions and a briefing on the FBI’s investigative process and findings. 

Investigations into the use of deadly force must be handled in a way that reinforces public confidence in law enforcement.  Following completion of these types of investigations, it is necessary for investigators to be fully transparent to ensure that the public understands the circumstances of each incident.  This creates transparency and builds public trust in law enforcement.  Despite nearly two years of investigating this incident in which considerable FBI resources were used, the Ghaisar family, Congress, and the general public still do not have all the answers.  The FBI needs to provide a full and thorough account of the events that led to Mr. Ghaisar’s untimely death.

In order to shed light on this delicate situation, we ask that you respond to Senator Grassley’s and Warner’s letters and provide us with a briefing summarizing the findings of this investigation by no later than December 15, 2019.   Additionally, we ask that you please arrange a time to provide our staffs with a briefing no later than December 6, 2019.

Sincerely,

Charles E. Grassley

United States Senator

Mark Warner

United States Senator

###

WASHINGTON, DC – Today, U.S. Senators Rob Portman (R-OH), Mark Warner (D-VA), Lamar Alexander (R-TN), and Angus King (I-ME) announced the Senate Energy and Natural Resources Committee has approved their bipartisan Restore Our Parks Act, legislation that would address the nearly $12 billion deferred maintenance backlog at the National Park Service (NPS). The bill, which has been praised by key stakeholders, would establish the “National Park Service Legacy Restoration Fund” from existing unobligated revenues the government receives from on and offshore energy development to fund deferred maintenance projects at NPS sites across the country.  Congressman Rob Bishop (R-UT) and Derek Kilmer (D-WA) have led similar legislation in the House of Representatives. The legislation now awaits action on the Senate floor.

“If we want to protect our national treasures for our children and future generations, we must make important investments before it’s too late,” Warner said. “National parks are not only instrumental in telling America’s story, they also serve as important economic engines that support thousands of jobs in communities across the country. In fact, the 22.2 million visitors who explored Virginia’s national parks last year spent an estimated $1.1 billion, supporting more than 16,000 thousand jobs. Today’s committee passage of the Restore Our Parks Act is a big first step in investing in our communities and funding the critical renovations our parks require.”

“For more than a century, the National Park Service has been inspiring Americans to explore the natural beauty of our country,”Portman said. “But in order to keep that work going, we need to ensure that they have the necessary resources to maintain our national parks. This bill will create the Legacy Restoration Fund to provide the National Park Service with funds for deferred maintenance projects like the more than $100 million in maintenance backlog at Ohio’s eight national parks. I’d like to thank Senators Warner, Alexander, and King as well as the cosponsors of his legislation for their leadership on this issue and I look forward to working with my Senate colleagues to get this legislation signed into law so that the National Park Service can continue preserving American treasures.” 

“This legislation could do more to restore our national parks than anything that has happened in the last half century, and the reason we need to restore them is so Americans can enjoy the 419 sites – from the National Mall in Washington, D.C., to the Great Smoky Mountains National Park to the Grand Canyon – for generations to come,” said Alexander. 

“Today’s committee vote represents an important, bipartisan step towards establishing lasting protections for our National Parks, and preserving these treasures for our children and grandchildren,” said King. “From Acadia to Zion, the National Park System captures America’s diverse natural beauty and is a proud reminder of our country’s dedication to preserving public land for all its citizens. As President Theodore Roosevelt once said, ‘There are no words that can tell the hidden spirit of the wilderness, that can reveal its mystery, its melancholy, and its charm.’ We have a collective responsibility to maintain this spirit of the wilderness in our National Parks – and this starts with the $12 billion maintenance backlog. Stewardship of our public lands is not a partisan issue, which is why I’m pleased that the Restore Our Parks Act passed our committee with strong bipartisan support.” 

“Today’s vote in the Senate Energy and Natural Resources Committee is yet another sign of the overwhelming public and congressional support to fix our parks. It’s now up to leadership in the Senate and House of Representatives to advance the bipartisan Restore Our Parks legislation,” said Marcia Argust, director of The Pew Charitable Trusts’ project to restore America’s parks. “Enacting this measure into law would be a historic end-of-the-year gift to our national parks, their millions of visitors, and local economies.” 

“From Acadia to Cuyahoga and the Great Smokies, America’s national parks protect some of America’s most iconic landscapes and most important history, and are beloved by millions. Yet as our parks face years of record-breaking visitation, they are falling into disrepair,” said Theresa Pierno, President and CEO for National Parks Conservation Association. “Billions of dollars are needed to fix parks’ crumbling roads, overgrown trails, broken water and sewer systems and outdated visitor centers. This isn’t the legacy we should be leaving for our children and grandchildren. After years of urging by communities and park advocates, today lawmakers are banding together, across the aisle, to fix our parks. We are grateful for the leadership of Senators Portman, Warner, Alexander and King, as we move one important step closer to providing our parks, rangers and local communities with the support they so desperately need and deserve.”

“The importance of our national parks extends way beyond their conservation and recreation value—they are also vital hubs if of economic activity, driving $40.1 billion in annual economic activity and 329,000 American jobs,” said U.S. Travel Association Executive Vice President, Tori Emerson Barnes.  “The Restore Our Parks Act is a critical step in securing our parks’ infrastructure so that they remain available both for the enjoyment of future generations and to sustain that economic legacy. We thank Senator Portman, for his key role in moving this legislation forward.” 

“America’s National Parks are often called our nation’s best idea, but after decades of inadequate funding and deferred maintenance,”said Thomas Cassidy, vice president for government relations and policy at the National Trust for Historic Preservation. “Our nation risks losing these incredible resources.  Our national parks are more than just places to experience natural beauty—they are places where our children and children’s children can experience the full American story. We applaud Senators Portman, Warner, Alexander and King for their leadership and commitment to our national parks and look forward to working with Congress and the Administration to secure passage of the Restore Our Parks Act.”

“The Restore Our Parks Act represents a significant investment in our national parks, which reflect all that we love and cherish as a nation,” said Will Shafroth, President and CEO, National Park Foundation. “As these places face increased visitation and aging infrastructure, this bill will help protect our parks' natural grandeur, expansive history, and rich cultural heritage. The National Park Foundation applauds bill champions Senator Lamar Alexander, Senator Angus King, Senator Rob Portman, and Senator Mark Warner for their unwavering support. We commend Senate Committee on Energy & Natural Resources Chairman Lisa Murkowski and Ranking Member Joe Manchin for holding today's markup and their shared commitment to addressing our parks’ deferred maintenance needs. As the Foundation continues to enhance the national park visitor experience through philanthropic support, we look forward to the legislation’s timely consideration on the Senate floor." 

“Our national parks are engines of economic growth for gateway communities across the country – and the Restore Our Parks Act is the key to ensuring proper funding to fix our aging and deteriorating national treasures,” said Patricia Rojas-Ungar, vice president of government affairs at Outdoor Industry Association. “OIA applauds the Senate Energy and Natural Resources Committee for working in a bipartisan manner to approve this critical legislation that will result in better infrastructure, healthier communities and a stronger economy. This day would not be possible without the dedication of Senators Portman, Warner, Alexander and King to propel the bill forward. We urge the full Senate to finish the job and pass this legislation as soon as possible.”

“National parks provide major economic opportunities for gateway counties. With National Park Service infrastructure in need of repair, surrounding communities often see declines in tourism,” said National Association of Counties Executive Director Matthew Chase. “The Restore Our Parks Act would help reduce the significant maintenance backlog and ensure positive experiences for visitors to our public lands. We thank the members of the U.S. Senate Committee on Energy and Natural Resources for supporting this legislation and urge the full Senate to act on it quickly.” 

NOTE: The Restore Our Parks Act would establish the “National Park Service Legacy Restoration Fund” to reduce the maintenance backlog by allocating existing revenues the government receives from on and offshore energy development. This funding would come from 50 percent of all revenues that are not otherwise allocated and deposited into the General Treasury not to exceed $1.3 billion each year for the next five years.

###

WASHINGTON, D.C. – U.S. Senators Mark R. Warner and Tim Kaine (both D-VA) joined Senators Ben Cardin (D-MD) and Lisa Murkowski (R-AK) in sponsoring a bipartisan Senate resolution (S.J. Res. 6) that would immediately remove the ratification deadline for the Equal Rights Amendment (ERA). Following this month’s elections in Virginia, the Commonwealth is poised to be the 38th and final state needed to ratify the ERA. If ratified, the ERA would finally guarantee full and equal protections to women in the Constitution.

“More than 96 years after the Equal Rights Amendment was first proposed, Virginia is about to take a giant step forward for women’s equality by becoming the 38th state to ratify the ERA,” Sen. Warner said. “This resolution will ensure that, even though this fight took decades, women’s equality will finally be fully and expressly recognized in our Constitution.” 

“This year marks the 100th anniversary of passage of the 19th amendment, yet women are still not explicitly recognized as equal under our Constitution,” said Sen. Kaine. “This resolution would ensure there’s still time to ratify the ERA, which will finally guarantee equal protections to women and strengthen our ability to fight gender discrimination. I hope Virginia will make history by becoming the 38th state to ratify the ERA.”

“Thank you to Senators Warner and Kaine for their strong support of the Equal Rights Amendment, which would prohibit discrimination based on sex.  Today I filed my first bill for the 2020 General Assembly Session, to make Virginia the 38th state to ratify the Equal Rights Amendment, guaranteeing women the same legal rights and protections as men under the law. Our Commonwealth stands poised to make history – and with champions like Senator Warner and Senator Kaine in Washington, we can finally make sure that the Equal Rights Amendment becomes a part of the U.S. Constitution,” said State Senator Jennifer McClellan, who filed a resolution in the Virginia Senate today to ratify the ERA. 

“Having worked with so many activists across the Commonwealth on two ERA bus tours, I know how important this issue is to women across Virginia. And as one of the first women to graduate from Virginia Military Institute, this fight is personal. It's time to enshrine women’s fundamental rights in the United States Constitution, and I thank Senators Warner and Kaine for being steadfast advocates for equality,” said State Delegate Jennifer Carroll Foy, who filed a resolution in the Virginia House of Delegates today to ratify the ERA.

Thirty-seven states, of the 38 needed, have already ratified the amendment, which Congress approved in 1972. Only one more state is needed among Virginia, Alabama, Arizona, Arkansas, Florida, Georgia, Louisiana, Mississippi, Missouri, North Carolina, Oklahoma, South Carolina, and Utah. The Virginia Senate passed a federal Equal Rights Amendment measure in January, but it was blocked by the then Republican-controlled Virginia House of Delegates. With both chambers now under Democratic control, Virginia is expected to soon become the 38th state to ratify the ERA.

The bipartisan U.S. Senate resolution (S.J. Res. 6) supported by Warner and Kaine would immediately remove the ratification deadline, paving the way for full and equal protections to women in the Constitution. Article V of the Constitution contains no time limits for ratification of amendments, and the states finally ratified the Twenty-Seventh Amendment in 1992 regarding Congressional pay raises more than 200 years after Congress proposed it in 1789 as part of the original Bill of Rights. The ERA time limit was contained in a joint resolution, not the actual text of the amendment, and Congress has already once voted to extend the ERA ratification deadline. The bipartisan resolution sponsored by Warner and Kaine would put to bed any potential ambiguity over adding the ERA to the Constitution once Virginia becomes the 38th state to ratify. 

The Equal Rights Amendment would finally give women full and equal protection under the Constitution. It reads as follows:

• Section 1.  Equality of rights under the law shall not be denied or abridged by the United States or by any State on account of sex.
• Section 2.  The Congress shall have the power to enforce, by appropriate legislation, the provisions of this article.
• Section 3.  This amendment shall take effect two years after the date of ratification.

###

WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, wrote to the Department of Health and Human Services (HHS) regarding a proposed rule by the Centers for Medicare and Medicaid Services (CMS) that would require CMS-funded health plans (including ACA marketplace plans) to allow patients to access their personal health information electronically through third-party consumer applications. In his letter, Sen. Warner urged HHS to include clear standards and defined controls for accessing patient data in order to address the potential for misuse of these interoperability features.

“In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information,” wrote Sen. Warner. “It is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.”

“Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users,” he continued. “As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used.”

Under the proposed Interoperability and Patient Access rule, CMS would require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through open application programing interfaces (APIs). APIs would allow third-party software applications to connect to, process, and make the data available to patients.

In the letter, Sen. Warner emphasized the importance of allowing patients to easily access their health information. He also noted the similarities between the proposed rule and the ACCESS Act – bipartisan legislation introduced by Sen. Warner that would promote market-based competition among social media platforms by requiring the largest social media companies to make user data portable, and their services interoperable, with other platforms. The ACCESS Act would also allow users to designate a trusted third-party service to manage their privacy and account settings, if they so choose. Additionally, Sen. Warner urged that, at a minimum, the final rule include the following standards:

• Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
• Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
• Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
• Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Sen. Warner has been a longtime critic of poor cybersecurity practices that compromise Americans’ personal information. Last week, Sen. Warner raised concern with HSS’ failure to act, following a mass exposure of sensitive medical images and information by health organizations. In September, he wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans. Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

The Honorable Alex M. Azar II

Department of Health and Human Services

Office of the Secretary

200 Independence Avenue, S.W.

Washington, D.C. 20201

Dear Secretary Azar:

I am writing regarding the proposed rule from the Center for Medicare and Medicaid Services (CMS) on Interoperability and Patient Access that would enable third party consumer applications to access sensitive patient and health plan data through application programming interfaces (APIs) [1]. I share the goals of advancing interoperability in patient health information and believe that – implemented appropriately – this proposal could represent a significant step in that direction. However, I urge CMS to take additional steps to address the potential for misuse of these features in developing the rules around APIs. In just the last three years, technology providers and policymakers have been unable to anticipate – or preemptively address – the misuse of consumer technology which has had profound impacts across our society and economy. As I have stated repeatedly, third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information.

Congress passed the 21st Century Cures Act (P.L. 114-255) with a key objective of improving the protected exchange of electronic health records across the care continuum. Notably, Section 4003 and 4004 included specific provisions to establish a trusted health information exchange framework and reduce information blocking; it stated that there should be regulation over unreasonable practices to interfere with, prevent, or materially discourage access, exchange, or use of a patient’s electronic health records. While your agency has taken substantial steps to implement fundamental aspects of this legislation, it is critical that there are proper safeguards are in place to protect patient privacy and sensitive health information. Moreover, there should be more work done by HHS to facilitate greater access to, and transfer of, electronic health information that does not inadvertently enable dominant IT providers to leverage their control over user data outside of the health care context into nascent markets for personalized health products.

In your proposed rule CMS would specifically require Medicare Advantage (MA) organizations, state Medicaid and Children’s Health Insurance Program (CHIP) Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plans (QHPs) on the federally-facilitated exchanges (FFEs) to allow patients to access their personal health information electronically through an open application programming interface (API). Data should be made available through an API so that third party software applications can connect to, process, and make the data available to patients.

I agree that patients should have an ability to easily acquire their health information. The rule is in many ways consistent with bipartisan legislation I have introduced in Congress – the Augmenting Compatibility and Competition by Enabling Service Switching (ACCESS) Act, which requires our nation’s largest social media companies to make user data portable, and make their services interoperable with other platforms.

Common to both my bill and the proposed rule is a recognition that consumers should have a right to possess their data – and share it with authorized third parties that will protect it. Both proposals also seek to address the control over consumer data that incumbents wield, often to the detriment of new, innovative providers. Across all sectors – including health care – innovative products and services, increasingly dependent upon machine learning, rely on user data as the single most important productive input to innovation and customization. Importantly, however, any approach must balance innovation and ease of access with privacy, security, and a commitment to robust competition. Further, any effort must ensure that such access redounds to the benefit of patients – and that data, once shared with new providers, is not commercialized in ways that benefit those providers without direct benefits or compensation to users.

 As CMS and HHS move forward with this needed rule – I urge you to include clear standards and defined controls for all stakeholders that ensure third party software applications accessing patient data through APIs are effectively protecting patient information and that patients are appropriately (and routinely) informed, in clear and particularized ways, how their data is used. Such standards in a final rule should include at a minimum:

• Patient Access to Data – A guarantee that patients will have ready access to their personal health data and an ability to regularly monitor and ensure the accuracy of such information. Patients should be informed of all commercial uses of their data, including any third parties their data has been shared with (even if it has alleged to have been anonymized). Patients should also have the right to withhold consent for their data to be shared with third parties, or used in new ways without their consent. Patients should also reserve the right to have third party users dispose of their data upon request.
• Adequate Privacy and Security Safeguards – Ensure participating stakeholders can adequately safeguard patient information by using existing best practices for secure storage and complying with applicable breach notification requirements. Moreover, HHS must work with the FTC and state attorneys general to develop mechanisms to report, supervise, and prosecute privacy and security lapses.
• Documentation of the open API specifications and required security controls – Provide clear attestation of the open API specifications as defined for patient data, the security requirements and controls imposed on healthcare providers, and the third-party platform obligations in managing patient data. 
• Patient Consent and Terms of Use – CMS and HHS should work proactively with the patient, provider and payer community to ensure users have informed proactive consent when user data is shared with a third party. In addition – there should be clear protections in place to ensure third party vendors use patient data solely for purposes in which the patient has expressly given informed proactive consent, including cases where patient information may be sold, and that patients retain the right to direct any party that has acquired their data to delete it upon request. Further, those accessing patient data should be prohibited from conditioning continued access on agreement by the patient to share their data with third parties. 

Thank you for your consideration your commitment to advancing interoperability to improve patient care. I believe the outline I have shared would strengthen and ensure the rule achieves its intended purpose.  It is my hope and belief that we can achieve both a higher level of interoperability and patient access to their data, as well as, strong protections for that information. I look forward to continued work with you on this important issue and our shared goals.

Sincerely,

###

WASHINGTON – U.S. Sens. Mark R. Warner and Tim Kaine (both D-VA) today applauded the news that the Chinese government will lift the import ban on U.S. poultry products that has been in place since 2015, effective immediately.

“For years, we have raised concerns about China’s unfair ban on U.S. poultry products and today’s announcement that the ban will be lifted, effective immediately, is great news for Virginia poultry producers,” said the Senators. “While we’re pleased by today’s news that this unreasonable and arbitrary policy will be reversed, we remain deeply concerned that the Trump Administration still appears to lack a comprehensive strategy to deal with China’s unfair trade practices and the long-term threats to U.S. jobs and national security posed by China’s rampant intellectual property theft and economic espionage. We strongly urge the President not to lose sight of those important goals, or the pain the Administration’s tariffs continue to cause for many of Virginia’s businesses, workers and consumers.”

In July 2017, Sen. Warner and Sen. Kaine sent a letter to U.S. Secretary of Agriculture Sonny Perdue, urging the Trump Administration to push the Chinese government to end its ban on the sale of American poultry products. In February of this year, Sen. Warner and eight other bipartisan Senators sent a letter to U.S. Trade Representative Robert Lighthizer, calling on the Trump Administration to reach a trade agreement with China lifting the ban on U.S. poultry and other barriers to U.S. agriculture products while also addressing issues such as Chinese intellectual property theft, forced technology transfer, and unfair subsidies for state-owned enterprises.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee, joined his Senate colleagues in requesting information from the U.S. Department of Veterans Affairs (VA) and the U.S. Department of Defense (DoD) on the agencies' efforts to educate veterans and servicemembers about online disinformation campaigns and other malign influence operations by Russian, Chinese, and other foreign entities. Today’s letters follow a two-year investigation by Vietnam Veterans of America (VVA) that documented persistent, pervasive, and coordinated online targeting of American servicemembers, veterans, and their families by foreign entities seeking to disrupt American democracy.

In particular, the VVA report found that the Russian Internet Research Agency (IRA) specifically targeted American veterans and the social media followers of several congressionally-chartered veterans service organizations during and after the 2016 election. The report also revealed that foreign entities are targeting servicemembers and veterans for the purpose of interference in the upcoming federal election.

Virginia is home to roughly 714,000 veterans, approximately 130,000 active duty servicemembers, and their families.

In their letter to VA Secretary Robert Wilkie, the Senators noted that while the VA has prioritized the security of its information systems and infrastructure – including veterans' personal information – the VA does not appear to have an established strategy for educating veterans about online disinformation efforts targeting them. The Senators urged Secretary Wilkie to consider implementing the VVA report's recommendations.

“While countering disinformation targeting veterans is not a core VA function, identifying these tactics helps improve veterans' cyber security and their ability to detect and avoid falling prey to scams and other forms of manipulation,” the Senators wrote in their letter to VA.

In their letter to Defense Secretary Mark Esper, the senators acknowledged DoD has worked to deter online disinformation and other malign influence campaigns by foreign adversaries, but they also called on the Department to implement VVA's recommendations, consistent with existing efforts to counter foreign malign influence operations.

“Malicious foreign actors are targeting servicemembers using disinformation through social media platforms and other online tools and ... countering foreign interference in American elections is critical to protecting the integrity of our democracy,” the Senators wrote in their letter to DoD.

The VVA report's recommendations for addressing online disinformation targeting servicemembers include directing DoD to “create a working group to study the security risks inherent in the use of common personal electronic devices and apps at home and abroad by servicemembers,” and to “direct commanders to include personal cybersecurity training and regular cyber-hygiene checks for all servicemembers.”

The report also recommended that the VA immediately develop plans to make the cyber-hygiene of veterans an urgent priority within the VA, and educate and train veterans on personal cyber security, “including how to identify instances of online manipulation.”

In addition to Sen. Warner, the letter was led by Sen. Elizabeth Warren (D-MA) and cosigned by Sens. Sherrod Brown (D-OH), Tammy Duckworth (D-IL), Richard Blumenthal (D-CT), Edward J. Markey (D-MA), Chris Van Hollen (D-MD), Richard Durbin (D-IL), Democratic Whip, Catherine Cortez Masto (D-NV), Tom Udall (D-NM), Bernie Sanders (I-VT), Tammy Baldwin (D-WI), Doug Jones (D-AL), Ron Wyden (D-OR), Robert Menendez (D-NJ), Ranking Member of the Senate Foreign Relations Committee, Mazie Hirono (D-HI), Kirsten Gillibrand (D-NY), Jack Reed (D-RI), Ranking Member of the Senate Armed Services Committee, Amy Klobuchar (D-MN), Ranking Member of the Senate Rules Committee, and Kamala Harris (D-CA).

Following Russia’s unprecedented use of social media to sow discord and influence the 2016 presidential elections, Sen. Warner wrote a social media white paper highlighting ways to protect users on social media against misinformation and disinformation campaigns. Sen. Warner has also written and introduced a series of bipartisan bills designed to protect consumers and reduce the power of giant social media platforms like Facebook. His work as Vice Chairman of the Senate Select Committee on Intelligence helped uncover Russia’s extensive efforts to exploit social media in the 2016 elections.

A copy of the letter to the VA can be found here. A copy of the letter to the DoD can be found here.

###

WASHINGTON – U.S. Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, today raised concern with the U.S. Department of Health and Human Services (HHS)’s failure to act, following a mass exposure of sensitive medical images and information by health organizations. In a letter to the HHS Director of the Office for Civil Rights, Sen. Warner identified this exposure as damaging to individual and national security, as this kind of information can be used to target individuals and to spread malware across organizations.

“I am alarmed that this is happening and that your organization, with its responsibility to protect the sensitive personal medical information of the American people, has done nothing about it,” wrote Sen. Warner. “As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling.”

“These reports indicate egregious privacy violations and represent a serious national security issue -- the files may be altered, extracted, or used to spread malware across an organization,” he continued. “In their current unencrypted state, CT, MRI and other diagnostic scans on the internet could be downloaded, injected with malicious code, and re-uploaded into the medical organization’s system and, if capable of propagating, potentially spread laterally across the organization. Earlier this year, researchers demonstrated that a design flaw in the DICOM protocol could easily allow an adversary to insert malicious code into an image file like a CT scan, without being detected.”

On September 17^th, a report revealed that millions of Americans had their private medical images exposed online, due to unsecured picture archiving and communication servers (PACS) that utilize the Digital Imaging and Communications in medicine (DICOM) protocol. Along with the medical images, these PACS also exposed the names and social security numbers of those affected, leaving this information open to anyone with basic computer expertise, as these required no authentication to access or download.

This exposure was uncovered by German researchers, who contacted the German Federal Office for Information Security (BSI). BSI then alerted the United States Computer Emergency Readiness Team (US-CERT), who confirmed the exposure and reached out to HHS. However, if they received this information, HHS has failed to act on it, even failing to list TridentUSA Health Services – one of the main companies responsible for the exposure – on its breach portal website.

In his letter to Director Roger Severino, Sen. Warner also raised alarm with the fact that TridentUSA Health Services successfully completed an HHS Health Insurance Portability and Accountability Act (HIPAA) Security Rule compliance audit in March 2019, while patient images were actively accessible online.

Sen. Warner also posed the follow questions for HHS regarding the incident, and its current cybersecurity requirements and procedures:

1. Did HHS receive a notice from US-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?

     a. If so, what actions were taken to address the issue?

2. What evidence do you require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?

      a. Does OCR have information security experts on staff or does it rely on external consultants as part of these audits?

3. What are the follow-up procedures if an organization’s log files reveal access to sensitive data from outside the United States, such as in this case?

4. Please describe your information security audit process.

5. Please describe your oversight of the DICOM protocol and PACS security. Do you require organizations to implement access controls? If so, what kind? Do you require full-disk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?

Sen. Warner has been a champion for cybersecurity throughout his career, and has been an outspoken critic of poor cybersecurity practices that compromise Americans’ personal information. In September, Sen. Warner wrote to TridentUSA Health Services to inquire about the company’s data security practices, following reports that a company affiliate exposed medical data belonging to millions of Americans. Earlier that month, Sen. Warner demanded answers from U.S. Customs and Border Protection (CBP) and South Korean company Suprema HQ, following separate incidents that affected both entities and exposed the personal, permanently identifiable data of many Americans. Sen. Warner has introduced legislation to empower state and local government to counter cyberattacks, and to increase cybersecurity among public companies.

The letter text can be found below and a PDF is available here.

Mr. Roger Severino
Director, Office for Civil Rights
Department of Health and Human Services
200 Independence Ave SW
Washington, DC 20201

Dear Director Severino,

As the health care industry increasingly harnesses internet connectivity and software, including machine learning systems, to improve patient care, a long overdue focus on data privacy and information security has come into sharper focus. This is particularly evident in light of reports that sensitive medical records of potentially millions of Americans were recently exposed online – and that your agency has done little to address this issue. Prompting even greater concern, one of the companies that left the data exposed online also successfully completed one of your Health Insurance Portability and Accountability Act (HIPAA) Security Rule compliance audits in March. I am alarmed that this is happening and that your organization, with its responsibility to protect the sensitive personal medical information of the American people, has done nothing about it. As your agency aggressively pushes to permit a wider range of parties (including those not covered by HIPAA) to have access to the sensitive health information of American patients, without traditional privacy protections attaching to that information, HHS’s inattention to this particular incident becomes even more troubling.

On September 17^th ProPublica published a shocking report that the sensitive medical images of millions of American patients were exposed online through unsecured picture and archiving and communications servers (PACS) that utilize the Digital Imaging and Communications in medicine (DICOM), protocol. The publicly-accessible information that had been accessed from Germany included MRI’s, X-rays, and CT scans, as well as names and social security numbers of the patients. The 13.7 million images found on the internet required absolutely no authentication to access or download. As of writing this letter, there are 779 million image records attached to 21.6 million patient records, impacting an estimated 5 million patients in 22 states. The largest system accessed holds 61 million diagnostic images attached to 1.23 million exam records of American patients and remains available on the internet.

In late August, German researchers initiated an investigation to determine the global accessibility and remote access capabilities of PACS. On September 9^th, the researchers concluded their two week inquiry and submitted their findings to the German Federal Office for Information Security (BSI). By September 17^th, BSI had addressed the affected systems which were removed from the internet prior to the publishing of the ProPublica report.

After US-CERT was notified of the problem by BSI, US-CERT contacted the German researchers at Greenbone Networks, confirming they received the data on September 20^th. US-CERT stated the agency would convey the information to the U.S. Department of Health and Human Services (HHS). According to the researchers, however, there has been no further communication from US-CERT or HHS, even though data privacy authorities from other countries like France and the UK contacted Greenbone Networks following the publication of ProPublica’s report.

On September 23^rd, I wrote to TridentUSA Health Services expressing my concern regarding the issues raised in the ProPublica report, and pointed out that MobilexUSA, a TridentUSA Health Services affiliate, was identified as controlling one of the unsecured PACS. On October 15^th, the German researchers demonstrated to my office a number of US-based PACS have open ports, supporting unencrypted communications protocols, exposing images to the internet like chest X-rays and mammograms, and identifying details like names and social security numbers. Those images and medical records continue to be accessible.

These reports indicate egregious privacy violations and represent a serious national security issue -- the files may be altered, extracted, or used to spread malware across an organization. Earlier this year, researchers demonstrated that a design flaw in the DICOM protocol could easily allow an adversary to insert malicious code into an image file like a CT scan, without being detected. The researchers who discovered the flaw in the DICOM protocol were able to use a polyglot file, which can contain more than one stream of data with different file formats, and hide the malicious code in the scan. In their current unencrypted state, CT, MRI and other diagnostic scans on the internet could be downloaded, injected with malicious code, and re-uploaded into the medical organization’s system and, if capable of propagating, potentially spread laterally across the organization.

In their response to my letter, TridentUSA Health Services noted that they successfully completed the Department of Health and Human Services audits, confirming compliance with the HIPAA Security Rule, the last of which concluded in March 2019, while patient images were accessible online.

While the information security lapses by the medical companies using the PACS are clear, it is unclear how your agency has addressed this issue. As of the writing of this letter, TridentUSA Health Services is not included on your breach portal website, and I have seen no evidence that, once contacted by US-CERT, you acted on that information in any meaningful way.

To understand how such an enormous oversight in your organization has allowed medical companies to leave insecure ports open to the internet and accessed repeatedly by a German IP address, I ask that you answer the following questions:

1. Did HHS receive a notice from US-CERT regarding the open PACS ports available with diagnostic imaging available on the internet without any restrictions?

     a. If so, what actions were taken to address the issue?

2. What evidence do you require organizations to produce during a HIPAA Security Rule audit? Are organizations asked to turn over their audit logs? How does OCR review the logs?

      a. Does OCR have information security experts on staff or does it rely on external consultants as part of these audits?

3. What are the follow-up procedures if an organization’s log files reveal access to sensitive data from outside the United States, such as in this case?

4. Please describe your information security audit process.

5. Please describe your oversight of the DICOM protocol and PACS security. Do you require organizations to implement access controls? If so, what kind? Do you require full-disk encryption and authentication for PACS? Are the DICOM protocol implementations included in the audits?

The American people deserve to have their sensitive private information protected and their government held accountable for enforcing the rules in place to keep that information private. I hope that you will share what immediate actions you are taking, along with answering the questions above. I look forward to hearing your response no later than November 18, 2019.

Sincerely,

###