The Data Integrity Crisis: Why 61% of FDA Warning Letters Cite the Same Thing
Find out why data integrity is the single most common category of FDA enforcement action.
Last month we covered what the December 2025 BIMO guidance says about electronic systems. This week we’re covering what FDA keeps finding wrong.
And it’s the same problem, over and over again.
REGULATORY ALERT
Data integrity violations appear in 61% of FDA warning letters. Not 61% this year. Not a one-time enforcement spike. This pattern holds across 2021 through 2025, making data integrity the single most common category of FDA enforcement action - surpassing traditional GMP deficiencies.
If you think this is a manufacturing problem, think again. Clinical research sites are squarely in the crosshairs.
The December 2025 BIMO inspection guidance made this explicit. For the first time, FDA enumerated in a single authoritative document exactly what they can inspect:
Paper and electronic records
Electronic systems used to hold, analyze, process, or transfer data
Audit trails
Facilities and equipment used to generate research data
Electronic systems are no longer background infrastructure. They are primary inspection targets.
One legal analysis put it plainly: “Electronic systems are now front-and-center in BIMO inspections.”
Remote Regulatory Assessments are now permanent. The guidance formally incorporates RRAs into the BIMO program. FDA can request electronic records access, conduct virtual interviews, and livestream facility reviews without stepping on site. Both pre-announced and unannounced inspections remain explicitly authorized.
This creates a new compliance reality: your electronic systems must be inspection-ready at all times, not just when FDA schedules an on-site visit.
What FDA has been finding: Legal commentators analyzing 2025 BIMO activity noted “robust inspection activity” with “particular focus by FDA on data integrity, recordkeeping and adequacy of investigations and corrective and preventive actions.” Both domestic and foreign sites faced scrutiny, with FDA expressing public concern about data integrity issues at overseas entities conducting research.
Your immediate actions:
Review all electronic systems (EDC, CTMS, eCOA, laboratory systems, EHR integrations, investigational product accountability) for 21 CFR Part 11 compliance
Audit electronic records access controls and audit trail functionality
Assess vendor management practices and validation documentation
Conduct a mock BIMO inspection focusing on electronic systems review
Train staff on responding to RRA requests for records and virtual interviews
Document delegation logs, training records, and protocol compliance evidence
The December BIMO guidance didn’t create new rules. It told us what FDA has been doing quietly. And electronic systems are now the center of that scrutiny.
SITE HACK OF THE WEEK
The Problem: Most sites can list their electronic systems. Few can prove those systems meet 21 CFR Part 11 compliance standards. And FDA is asking.
The Solution: Your Part 11 Quick-Check. This is the 15-minute audit you can run Monday morning before your first patient visit.
Six systems every site should review:
Electronic Data Capture (EDC)
Clinical Trial Management Systems (CTMS)
Electronic Clinical Outcome Assessment (eCOA)
Laboratory Information Management Systems (LIMS)
EHR integrations
Investigational Product accountability systems
For EACH system, verify five requirements:
Does it have a secure, computer-generated, time-stamped audit trail? Section 11.10(e) requires this. Not optional. Not “nice to have.” Required.
Does the audit trail capture WHO, WHAT, WHEN, and WHY? The audit trail must independently record the date and time of operator entries and actions that create, modify, or delete electronic records. It must capture who performed an action, what action was performed, when it occurred, and why the change was made.
Can original data still be viewed after modifications? Record changes must not obscure previously recorded information. Original data must remain visible and accessible even after modifications.
Are there individual user accounts? Shared logins make accountability for data modifications impossible. FDA cited this exact problem in a 2024 warning letter: laboratory personnel using shared passwords to access analytical software, making it impossible to determine who modified data.
Is there vendor validation documentation on file? You need proof the system was validated to meet Part 11 requirements. If a vendor can’t provide validation documentation, that’s a red flag.
Immediate actions this week:
Eliminate shared logins across all systems
Test audit trail completeness (create a test record, modify it, delete it, then verify the audit trail captured all three actions with timestamps and user identification)
Review vendor contracts and validation documentation
Document data backup and recovery procedures
Train staff on data integrity principles and Part 11 requirements
Include this quick-check in your Site Survival Toolkit - the compliance checklist we built for exactly these situations.
FROM THE FIELD
Let me tell you what happens when electronic systems don’t meet Part 11 standards.
Applied Therapeutics, November 2024. This warning letter is the most instructive recent example of data integrity enforcement consequences.
What happened: deleted electronic clinical outcome assessment data covering primary AND secondary endpoints. FDA could not access, copy, and verify records for certain electronic data.
FDA’s exact words: the company’s failures “raised significant concerns about the validity, reliability, and integrity of the data.”
The consequences:
Complete Response Letter issued
NDA approval denied
Shareholder lawsuits followed
Leadership changes announced
The escalation pattern tells you everything. The Form 483 initially cited 11 subjects at one site. By the time the warning letter was issued, FDA expanded scope to all 47 participants across the entire study.
This is not a small site cutting corners. This is what happens when electronic systems do not meet Part 11 standards. And the December BIMO guidance just made it crystal clear that FDA will be looking.
The 2024 horror stories from other warning letters:
Torn batch records discovered in plastic bags on rooftops
Analysts destroying laboratory documents with acetic acid
QC computers taken home by employees who became unreachable during inspections
Laboratory personnel using shared passwords, making accountability for data modifications impossible
Data files found in computer recycling bins with no audit trail record of deletion
These are not theoretical risks. These are actual FDA findings from actual warning letters issued in the last 18 months.
Here’s what keeps me up at night: the gap between what sites think they have and what FDA will accept as evidence. Sites assume their EDC vendor handles Part 11 compliance. They assume audit trails are automatic. They assume access controls are sufficient.
Then FDA shows up and asks to see the audit trail for a specific data point. And the site discovers the audit trail doesn’t capture why the change was made. Or the original value isn’t visible after modification. Or the vendor validation documentation is three years old and doesn’t cover the current system version.
WHAT WE’RE BUILDING
Protocol complexity compounds data integrity risk.
When CRCs juggle 17+ systems daily - EDC, CTMS, eCOA, IWRS, laboratory portals, sponsor portals, IRB portals, pharmacy systems, imaging systems, patient visit schedulers, consent platforms, and more - audit trail gaps, missed documentation, and access control failures become inevitable.
Cognitive overload creates compliance gaps.
Our ai-powered chat and voice bot reduces cognitive load on the protocol reference side so coordinators can focus attention where it matters most: documentation quality and data integrity. Instead of hunting through 300-page protocols for visit window calculations or washout period requirements, coordinators get instant answers and can redirect that mental energy toward ensuring every data point has a complete audit trail.
No system can replace rigorous data integrity practices. But reducing the friction on protocol questions creates space for coordinators to do the detail work that keeps sites inspection-ready.
Next week: FDA issued two warning letters in five days for the same violation. We’re breaking down what happened and what every site needs to verify before enrolling another subject. Subscribe to stay in the loop.