The Army laboratory identified by prosecutors as the source of the anthrax that killed five people in the fall of 2001 was rife with such security gaps that the deadly spores could have easily been smuggled out of the facility, outside investigators found.
The existing security procedures -- described in two long-secret reports -- were so lax they would have allowed any researcher, aide or temporary worker to walk out of the Army bio-weapons lab at Fort Detrick, Md., with a few drops of anthrax -- starter germs that could grow the trillions of spores used to fill anthrax-laced letters sent to Congress and the media.
The two reports, which have not been made public for more than nine years, describe a haphazard system in which personnel lists included dozens of former employees, where new hires were allowed to work with deadly germs before background checks were done and where stocks of anthrax and other pathogens weren't adequately controlled.
Fort Detrick since has adopted new bio-security measures. But the security reports by independent government specialists suggest that deadly anthrax stocks may have been more accessible than investigators assumed in declaring Army scientist Bruce Ivins the perpetrator.
The letters, mailed to two U.S. senators and at least three media outlets, panicked the nation in the immediate aftermath of the 9/11 terrorist attacks. The Justice Department says the letter spores derived from a flask controlled by Ivins at Fort Detrick.
Marked "for official use only," the two reports were completed in 2002. One was conducted by a seven-member team from Sandia National Laboratories in Albuquerque, N.M. The other was by auditors for the Army's inspector general's office.
The teams evaluated security at the U.S. Army Medical Research Institute of Infectious Diseases (USAMRIID), then the lead federal lab for developing vaccines and other medical defenses against biological weapons.
McClatchy, the online investigative newsroom ProPublica and PBS's "Frontline," which have collaborated in an examination of the Justice Department's case against Ivins, obtained copies of both reports.
The reports are expected to be made public later this week in a $50 million lawsuit filed in federal court in West Palm Beach, Fla., by family members of Robert Stevens, a photo editor for American Media Inc., who was the first person to die from the anthrax attacks.
"It's about time," said Richard Schuler, a lawyer for the family. "The public should know about the way security for deadly pathogens was being handled -- or mishandled -- by the Department of the Army and the government in the period leading up to the 2001 anthrax attacks."
A psychological report on Ivins, who committed suicide in July 2008, said Ivins had "diagnosable mental illness" when he was hired in 1980, and that his mental health should have disqualified him from obtaining a "secret-level" security clearance.
Ivins died of an overdose soon after learning that prosecutors were seeking approval to charge him with five counts of murder. The FBI case was largely circumstantial, although prosecutors say their most direct evidence was the genetic link between anthrax in the letter powder and spores in Ivins' flask of liquid anthrax.
Before posthumously declaring Ivins the killer, the Justice Department said, the FBI eliminated as suspects as many as 419 people. Those individuals would have had access to Ivins' flask, which was stored in an airtight "hot suite" at Fort Detrick, or to spores he'd shared with colleagues or outside researchers, including scientists at the Battelle Memorial Institute in West Jefferson, Ohio.
The Sandia report emphasized that terrorists had obtained germs from research labs before. It cited a February 2001 National Defense University study that found 11 cases in which terrorists or other "non-state operatives" had acquired biological agents from "legitimate culture collections," including three research or medical laboratories.
Despite USAMRIID's sobering mission, the Sandia report said, the western Maryland lab had developed a work environment in which employees failed to make the same "indisputable commitment to security" as they did to research.
"The current biosecurity system at USAMRIID does not adequately protect HCPTs (high-consequence pathogens and toxins) and related information," wrote the Sandia team, headed by security expert Reynolds Salerno.
The report said no rules governed movement of germ specimens from one building to another, for example, and that a test tube containing some of Ivins' spores was left for weeks in a refrigerator in a second building.
Fort Detrick's personnel database failed to list 213 of USAMRIID's employees but did include 80 who had left their jobs, the Sandia report said. A separate human resources roster listed 56 people who had left but not 12 who worked there.
Conflicting rosters didn't necessarily signal a security weakness, the Sandia team wrote, but they contributed to "perceived chaos in the personnel system" at the facility.
Even if all those things had been perfect, the examiners said, there was little way to detect diversions from flasks of germs, because a "malevolent" worker could grow more of the pathogen or find other ways to conceal the removal of a small amount.
Asked about the studies, a Justice Department spokesman said in a prepared statement that the FBI looked at everyone who had card-key access to the "hot suites," including researchers with up-to-date vaccinations, then thoroughly investigated "all individuals with theoretical access" to Ivins' spores in advance of the mailings.
The Army auditors, who studied security throughout Fort Detrick, not just at USAMRIID, made clear that pathogens in the bio-weapons facility were "not afforded a standard, minimum level of protection" similar to that for nuclear and chemical weapons.
Although a 22-year-old Army regulation governing the management of hazardous biological substances was in effect in 2001, the Army auditors wrote, two of the three labs at Fort Detrick weren't aware of it and the other ignored it as outdated.
The Army report also said that contractor labs, such as Battelle, had limited regulation and no screening of individuals working with anthrax and other pathogens, creating "the potential for unauthorized access to these materials."
USAMRIID has long since committed to a major overhaul of its security system and adopted a comprehensive Army "biosurety program" in 2003 that included closer tracking of inventories of various germs.
Employees with access to the "hot suites," which are designed to contain anthrax and other pathogens during experiments, must now submit to regular medical, mental health and behavior screening, including monitoring of their use of prescription drugs.
"The safety of the USAMRIID staff and the security of the biological agents on which it works," spokeswoman Caree Vander-Linden said, "have always been top priority, even before the events of 2001."