A report released by the U.S. Department of Health and Human Services (HHS) Office of Inspector General revealed that the National Institutes of Health (NIH) failed to ensure strong cybersecurity protections for the “All of Us” program, which stores personal health data and biosamples from more than 1 million participants.

The report states that while the program’s Data and Research Center had implemented some safeguards, NIH did not ensure that other key controls were in place. It found that the awardee running the system did not properly limit data access, address national security risks tied to genomic data, or fix security and privacy gaps within required timelines.

HHS issued five security recommendations. NIH agreed with all recommendations in the report and said it has already begun acting on them.

The awardee managing the Data and Research Center has created an access-control process and plans to reassess its security classification, considering national security risks tied to genomic data. The audit was launched due to rising cyber threats and the risk of exposing sensitive information, with the watchdog examining the program’s access, security, and privacy controls.