A Vendor Deleted 47 Patients' Audit Trails
TL;DRAI summary
- A vendor deleted electronic records and audit trails for all 47 patients two days after FDA preannounced its inspection.
- A Form 483 and a Warning Letter followed. FDA could not verify the study data in the system.
- Five recurring 483 audit-trail findings are preventable with immutable, tamper-evident, exportable trails.
On March 27, 2024, two days after FDA preannounced a site inspection, a third-party vendor deleted electronic clinical outcome assessment (eCOA) data in Q-global, including the associated audit trails, for all 47 subjects enrolled in an Applied Therapeutics study. FDA’s Warning Letter, dated November 27, 2024 and published December 3, records the deletion and its consequence in the agency’s own words: FDA “was unable to access and copy and verify records and reports relating to the study.”
Read the sequence and it gets worse. The inspection ran April 29 to May 3, 2024, and produced a Form 483. FDA issued a Complete Response Letter on November 27, 2024, the company disclosed the Warning Letter on December 2, and two shareholder lawsuits followed on December 17 and December 27, per Cooley’s analysis of the case. The trial also missed its composite primary endpoint, and FDA has not published the CRL, so nobody outside the agency can say how much the deleted records weighed in the rejection. Sequence is enough. If you run sponsor oversight, contract with a CRO, or sign off on a clinical study report, this is the failure mode you insure against.
What FDA could and could not verify
The vendor deleted records the agency had come to inspect, two days after telling the company it was coming. Applied Therapeutics told FDA it recovered the data from the Q-global backup, all but 11 tests, and that item-level responses had been captured in PDF and paper score reports beforehand. So the underlying answers survived in some form.
The audit trails did not survive in the system that held them. FDA’s objection is narrower than “the data is gone” and harder to cure: the agency could not verify the records in Q-global, with their trails, which is what verification means. A PDF of a score report tells a reviewer what a value was. It cannot show who entered it, when, or whether someone changed it. Once the trail is gone, the record becomes an assertion, and an assertion is not evidence you can put in front of a regulator. We make the same argument about verification coverage in why 100% SDV is a myth: a dataset you cannot defend is not an asset, however complete it looks on the surface.
The Warning Letter adds a dosing finding. Between March and June 2021, clinical sites administered 80% of the protocol-required dose, and at least 19 subjects at one site received less drug than the protocol called for. Applied Therapeutics then “reported dose levels for subjects as stated in the protocol… rather than the actual dose levels administered.” Reported doses drifted from administered doses, and the outcome data measuring their effect sat in a system whose trails were later deleted.
Data integrity is where FDA writes people up
The Applied Therapeutics deletion sits at the extreme end of a documented pattern. In drug CGMP manufacturing enforcement between 2014 and 2018, roughly 79% of global drug warning letters and about 50% of global drug Form 483s cited data-integrity concerns, according to a Govzilla analysis summarized by Astrix. That figure covers manufacturing rather than clinical inspections, and Astrix notes that inspectors cite the CGMP predicate rules far more often than Part 11 itself. Take it as evidence of how seriously FDA treats records you cannot verify, not as a count of clinical audit-trail findings.
Most cases never involve a dramatic, timed deletion. They involve the quieter conditions that made the deletion possible: a system where a vendor could remove records, where no independent log captured the removal, and where nobody reviewed the trail until an inspector asked for it. Those conditions are common, and you can engineer them out.
The 5 recurring FDA 483 audit-trail findings
The recurring audit-trail categories map onto explicit requirements in 21 CFR Part 11 §11.10 and FDA’s Data Integrity and Compliance With Drug CGMP guidance. One note before the list, because precision matters when you are citing enforcement: FDA’s Warning Letter to Applied Therapeutics cites 21 CFR 312.58 and 314.50(d)(5)(iv), and no Part 11 violation at all. The first finding below is the one that played out in that case. The other four are the conditions that let a first finding happen.
1. No independent logging of admin and deletion actions
The core failure at Applied Therapeutics: a vendor deleted records, and the deletion took the trail with it. §11.10(e) requires secure, computer-generated, time-stamped audit trails that independently record the operator actions that create, modify, or delete electronic records. “Independently” is the load-bearing word. If the account that creates a record can also erase both the record and its trail, the trail is decorative. A defensible system logs administrative and deletion events to a store the record’s own users cannot reach or alter.
2. Shared credentials and weak e-signatures
Put several coordinators on one login and attributability collapses. You can see that a value changed, but not who changed it, which is the entire point of the trail. FDA’s CGMP data-integrity guidance is explicit: “when login credentials are shared, a unique individual cannot be identified through the login.” Part 11 §11.10(d) and §11.10(g) require that system access be limited to authorized individuals and that authority checks tie each action to a specific person. Unique, attributable credentials are the floor.
3. Original (pre-change) values not captured
A trail that overwrites looks complete while hiding the correction. §11.10(e) says record changes “shall not obscure previously recorded information.” When a coordinator edits a value from 40 to 400, the 40 has to survive somewhere retrievable. Systems that store current state and drop history fail this on their face, and an inspector who cannot see the 40 has no way to judge whether the 400 was a correction or a rewrite.
4. Missing or inconsistent timestamps and gaps
Inspectors read timestamps as a chain. Gaps, missing times, and events with no user attached break the chain and signal either a misconfigured system or a curated one. §11.10(e) requires the trail to record the date and time of operator entries and actions, so a system logging the what without a reliable when cannot support the reconstruction that FDA expects.
5. No periodic audit-trail review and no exportable trail
A trail nobody reads catches nothing until the inspection, by which point the problem is already in the submission. FDA’s CGMP guidance sets a risk-based expectation: where the regulations specify a review frequency for the data, review the audit trail on that same frequency, and where they do not, set the frequency using your own process knowledge and risk assessment. The second half of this finding is the one that mattered in the govorestat case. If FDA cannot access or export the trail during an inspection, the agency cannot verify the data. That was the outcome for all 47 subjects.
What a tamper-evident audit trail would have prevented
Walk the five findings back through a system built to be immutable and hash-chained, and each failure mode changes character.
| Recurring 483 finding | Ordinary system | Immutable, hash-chained trail |
|---|---|---|
| Admin/deletion logging | Vendor deletes records and trail together | Deletion is either blocked or leaves a permanent, self-evident break in the chain |
| Shared credentials | Change is visible, actor is not | Every event is signed to a unique identity |
| Lost original values | Edit overwrites the prior value | Append-only history retains the 40 behind the 400 |
| Timestamp gaps | Times missing or editable | Each entry is sequenced and cryptographically linked to the one before it |
| No review, no export | Trail surfaces only at inspection | Trail is reviewable on schedule and exportable on demand |
A hash-chained, append-only trail makes deletion either impossible or self-evident, because removing a link breaks the cryptographic sequence that follows it. Every action carries an attributable signature, original values persist, and the whole record exports for an inspector without a vendor’s cooperation. This is the model behind the Trialsights lab and site surveillance audit trail. It will not turn bad data into good data. What it gives you is a record of what happened that you can hand to FDA and stand behind, which is the thing Applied Therapeutics could not produce.
A vendor-oversight checklist for sponsors and CROs
The govorestat trail was deleted by a third-party vendor, not by Applied Therapeutics staff. Your oversight obligations do not stop at the systems you operate directly. Before you sign with an eCOA provider, an EDC vendor, or a central lab, put these requirements in the contract and verify them in a system demo.
- Immutable, append-only audit trails. No user role, vendor-side or sponsor-side, can delete records or their history. Prevents finding 1.
- Independent logging of administrative actions. Deletion, purge, and configuration changes write to a store separate from the data. Prevents finding 1.
- Unique, attributable credentials with no shared logins. Each action ties to one named person. Prevents finding 2.
- Retention of original values on every change. The pre-edit value stays retrievable. Prevents finding 3.
- Complete, sequenced timestamps with no gaps. Every event carries a reliable time and actor. Prevents finding 4.
- Scheduled audit-trail review and inspection-ready export. You can review on cadence and export the full trail from every third-party system on demand. Prevents finding 5.
Work each item against the specific finding it closes, and use it as a companion to the broader selection frameworks in our best clinical trial audit software guide, which covers what inspectors actually check, and the clinical trial compliance tools buyer’s guide. The vendor who cannot export a complete audit trail during a friendly demo will not produce one during a hostile inspection.
FAQ
What is an FDA Form 483 audit-trail finding? An inspection observation that a computerized system failed to keep a secure, complete, time-stamped record of who created, changed, or deleted data. The common ones are missing timestamps, no independent logging of admin actions, shared logins, lost original values, and no periodic review, each a deficiency against 21 CFR Part 11 §11.10(e) and FDA’s CGMP data-integrity guidance.
What happened with Applied Therapeutics’ FDA warning letter? During a BIMO inspection, FDA found a third-party vendor had deleted eCOA data and its audit trails in Q-global for all 47 subjects on March 27, 2024, two days after FDA preannounced the inspection. FDA stated it was unable to access, copy, and verify records relating to the study. A Form 483 and a Warning Letter dated November 27, 2024 followed. A Complete Response Letter and two shareholder lawsuits landed in the same window, though FDA has not published the CRL or tied it to the deletion.
What does 21 CFR Part 11 require for audit trails? §11.10(e) requires secure, computer-generated, time-stamped audit trails that independently record actions that create, modify, or delete electronic records, and it requires that record changes not obscure previously recorded information. FDA’s data-integrity guidance adds that you should review those trails on a risk-based frequency, matching the review frequency of the underlying data where the regulations specify one.
Can deleting clinical trial data trigger FDA enforcement? Yes. Deleting records or audit trails around an inspection leaves FDA unable to verify the data. In the Applied Therapeutics case FDA cited 21 CFR 312.58 for failure to permit access to records, and 21 CFR 314.50(d)(5)(iv) for failure to disclose data relevant to safety and effectiveness. A Form 483 and a Warning Letter followed the inspection.
Want to see a hash-chained, exportable audit trail on your own protocol? Book a demo and we will walk through the tamper-evident record inspectors can actually verify.
Frequently asked questions
What is an FDA Form 483 audit-trail finding?
A Form 483 audit-trail finding is an inspection observation that a computerized system failed to keep a secure, complete, time-stamped record of who created, changed, or deleted data. The most common ones are missing timestamps, no independent logging of admin actions, shared logins, lost original values, and no periodic review, all deficiencies against 21 CFR Part 11 §11.10(e) and FDA's CGMP data-integrity guidance.
What happened with Applied Therapeutics' FDA warning letter?
During a BIMO inspection, FDA found that a third-party vendor had deleted electronic eCOA data and its audit trails in Q-global for all 47 subjects on March 27, 2024, two days after FDA preannounced the inspection. FDA stated it was unable to access, copy, and verify records relating to the study. A Form 483 and a Warning Letter dated November 27, 2024 followed. A Complete Response Letter and two shareholder lawsuits landed in the same window, though FDA has not published the CRL or tied it to the deletion.
What does 21 CFR Part 11 require for audit trails?
Part 11 §11.10(e) requires secure, computer-generated, time-stamped audit trails that independently record operator entries and actions that create, modify, or delete electronic records, and it requires that record changes not obscure previously recorded information. FDA's data-integrity guidance adds that you should review those trails on a risk-based frequency, matching the review frequency of the underlying data where the regulations specify one.
Can deleting clinical trial data trigger FDA enforcement?
Yes. Deleting records or audit trails, especially around an inspection, leaves FDA unable to verify the data. In the Applied Therapeutics case FDA cited 21 CFR 312.58 for failure to permit access to records, and 21 CFR 314.50(d)(5)(iv) for failure to disclose data relevant to safety and effectiveness. A Form 483 and a Warning Letter followed the inspection.