Alison Young

USA TODAY

Recent glaring safety lapses involving anthrax, smallpox and a dangerous strain of bird flu are the latest violations at a half-dozen laboratories run by federal health agencies, 11 labs run by universities and eight more operated by state, local or private entities, according to government reports stamped "restricted" obtained by USA TODAY under the Freedom of Information Act.

The reports by the Office of Inspector General at the U.S. Department of Health and Human Services cited inadequate security procedures, lax inventory records for germs that could be used as bioterror agents and training concerns. Auditors warned in reports issued from 2006 to 2009 that such issues could have compromised the labs' abilities "to safeguard select agents from accidental or intentional loss and to ensure the safety of individuals who worked with select agents."

Auditors also found that the Centers for Disease Control and Prevention, which is responsible for policing U.S. labs working with potential bioterror germs, largely failed during its inspections to catch serious security lapses when samples were shipped by 20 labs. CDC also didn't quickly document corrections at other labs after issues were flagged by auditors, the reports say.

The inspector general reports provide a rare glimpse into the secretive world of bioterror lab safety and the oversight of government, university and private labs. The reports, which were redacted before being released to USA TODAY, were previously distributed only to "authorized officials" because of "the sensitivity of issues we identified" and are stamped with warnings that they contain "restricted" information. The inspector general's office said it was restricted by law from saying whether it has completed other, more recent audits involving bioterror labs.

Despite a history of audit reports by the inspector general and years of reporting by USA TODAY flagging safety and security lapses, CDC has described high-profile anthrax and other recent mistakes as a wake-up call. On Tuesday, CDC Director Tom Frieden acknowledged further shortcomings in not recognizing potential warning signs.

"CDC responded to particular incidents in the past, but we did not recognize the broader pattern, and we did not act in a way that addressed that broader pattern effectively," Frieden said. "We are now taking comprehensive, urgent steps to strengthen the culture of laboratory safety at CDC."

On Wednesday, Frieden and independent biosafety experts will testify before an oversight subcommittee of the House Committee on Energy and Commerce examining the CDC anthrax incident. In June, the CDC discovered that some of its scientists in Atlanta had used an ineffective and unapproved method to inactivate anthrax spores before shipping specimens to other CDC labs that lacked safety equipment to work with live bacteria. None of the employees has shown signs of infection, and the agency has said the risks are remote.

Last Friday, the CDC disclosed that while investigating the anthrax incident the agency learned that a different group of CDC researchers had made another shocking mistake: They cross-contaminated a relatively benign strain of bird flu with the dangerous H5N1 strain, then shipped the specimens to a lab at the U.S. Department of Agriculture, which discovered the error when birds in their lab unexpectedly became very ill and died. CDC staff also delayed reporting the error to supervisors for weeks, Frieden said. The H5N1 flu strain, which in rare cases has seriously sickened people, has the potential to significantly harm the U.S. poultry industry if the virus spread to flocks outside the labs.

In a lapse involving two other federal agencies, forgotten vials of deadly smallpox virus were discovered this month at labs operated by the U.S. Food and Drug Administration at the National Institutes of Health.

The recent incidents shouldn't have come as a surprise, said Richard Ebright, a biosafety expert from Rutgers university who is scheduled to testify Wednesday.

"CDC leadership was negligent to have ignored the issues raised in the annual HHS OIG reports and the 2012-2013 press reports" by USA TODAY, Ebright said.

Ebright notes that the CDC, along with animal-health experts at the U.S. Department of Agriculture, is jointly responsible for regulating government, university and private labs working with germs and toxins that have the potential to be used as bioweapons.

"There is no basis for confidence that biosafety and biosecurity standards are higher, or that inspections are more stringent, at non-CDC bioweapons-agents labs," Ebright said.

One of the questions being explored at Wednesday's hearing is whether the current federal lab inspection system is effective enough to detect problems and ensure safety.

In 2013, USA TODAY was first to reveal an initial series of "restricted" HHS inspector general reports written in 2008, 2009 and 2010, also obtained under the FOIA, that cited CDC's labs for failing to properly secure potential bioterror agents and not training employees who work with them.

In 2012, USA TODAY obtained internal CDC e-mails and other records showing a $214 million bioterror germ lab complex at the agency's Atlanta headquarters has had repeated problems with airflow systems designed to help prevent the release of infectious diseases. The agency even used duct tape during 2007 and 2008 to seal a containment door of a lab where Q Fever research had been done.

CDC has not responded to USA TODAY's requests, under the Freedom of Information Act, filed in June 2012, for records involving lab safety and security incidents at the lab complex.

The latest set of "restricted" inspector general audits covered six federal entities conducting research on potential bioterror germs. Additional audits looked at how the agents are shipped and compliance at labs run by a sampling of universities and state, local and private labs.

For security reasons, the IG's office removed the names of the government agencies, universities and private firms that were running the labs. The specific germs or toxins were also withheld.

Among the reports' findings:

• An August 2009 report cites an undisclosed federal lab for not always restricting access to bioterror agents to approved individuals; failing to maintain complete records of who had accessed the specimens and not ensuring that individuals working with the specimens received proper training. In some cases, the agency had failed to cancel the electronic "swipe cards" and biometric access rights of people no longer authorized to be in the areas. "The Laboratory's access records showed that the three individuals entered select agent areas a total of 35 times after their access rights were terminated," the report notes.

• A June 2006 summary report examining labs at 15 universities found weaknesses at 11 of them. Three had incomplete inventory records. One university told auditors it "could not verify inventory records because it lacked qualified personnel to safely perform this function." Six universities were cited for issues that could have allowed unapproved individuals to access areas where specimens were stored, including one university where unapproved individuals could have generated keys for themselves and others.

• A January 2008 summary report about issues at state, local, private and commercial labs, which was sent to Julie Gerberding, the CDC's director at the time, found problems at all of them that "could have compromised the ability to safeguard select agents from accidental or intentional loss." The issues included not adequately restricting access to approved individuals, insufficient security plans and lack of documented training. Although the eight entities had agreed with auditors' recommendations for corrections, the IG noted that six months had passed and CDC lab inspectors still hadn't documented corrections and submitted reports to auditors.

• An April 2009 audit sent to the CDC's acting director at the time, Richard Besser, found problems in the transfer of specimens between undisclosed labs and failures by labs to ensure that only approved individuals received the packages. "Allowing unapproved individuals to handle select agents increased the risk that the agents could be lost or stolen, thereby potentially posing a severe threat to public health and safety," the auditors wrote. Yet CDC's lab inspectors were not adequately monitoring or enforcing requirements that labs protect against loss or theft during such transfers. Of 24 entities where auditors found unauthorized individuals accepting delivery of specimen packages, CDC inspectors had cited only four of them. CDC spokesman Tom Skinner said this week the agency has strengthened its inspection process since the report was written.

• A December 2009 audit involved a federal agency that described itself in an attached response letter as "the Nation's premier biomedical research institution." The National Institutes of Health has used that phrase in online publications to describe itself. Violations cited in the report included failure to maintain accurate and current inventory records. "The laboratory did not conduct a physical count until apprised of our audit in October 2008, at which time the laboratory determined that it had seven vials of select agents that were not recorded in the inventory records," auditors wrote. The types of germs in the vials, which the report said dated from the 1960s, were redacted from the report. The agency in its response said auditors had overstated the potential consequences of their findings. Auditors wrote that they disagreed. The NIH press office, in a statement, said it was not able to confirm that the report is about its agency.

All of the reports about federal entities involve agencies that are part of HHS, according to the letterhead of agency response letters that had the specific agency name removed. HHS officials did not respond to USA TODAY's interview request about the IG reports, and referred all questions to the CDC. In addition to the CDC, the two other federal agencies involved in the forgotten smallpox vials — the FDA and NIH — are also part of HHS.

The vials of smallpox were discovered in a cold storage area at the National Institutes of Health that had been operated since 1972 by the U.S. Food and Drug Administration, when the FDA took over regulation of vaccines, including the smallpox vaccine.

By international agreement, after smallpox was globally eradicated in the late 1970s, only two labs in the world were authorized to retain samples: the CDC in Atlanta and a lab in Novosibirsk, Russia.

The smallpox vials appear to date from the 1950s, and tests by the CDC have found some of the virus is still alive. Both FDA and NIH are investigating how samples of such a deadly and restricted virus went unnoticed for decades.

The FDA discovered the vials while it was doing an inventory of its lab space at the NIH in Bethesda, Md., in preparation for moving the labs to an FDA complex in Silver Spring, Md. It remains unclear why FDA had apparently not inventoried the cold storage area in decades.

FDA spokeswoman Erica Jefferson on Tuesday said the incident is still under investigation. She noted that laboratory practices and regulatory requirements have "undergone huge changes" since 1972.

"FDA has already completed an inventory of all common storage areas in its NIH campus buildings and found no other materials of public health concern," she said. "We are carefully examining our policies and procedures regarding the security of our laboratories and storage of biologic specimens."

NIH, in a statement to USA TODAY, said it is conducting a comprehensive search of all of its facilities to look for other select agents, toxins or hazardous biological materials improperly stored in any of our facilities. The plan requires investigators to examine all freezers, refrigerators, cold rooms, storage shelves and cabinets, as well as other storage areas and offices.

Follow USA TODAY investigative reporter Alison Young on Twitter: @alisonannyoung