Why 60-80% of FDA Warning Letters Still Cite Data Integrity in 2026

Executive Summary

Data integrity remains the single most common thread running through FDA drug GMP enforcement. Industry analyses of warning letters issued over the past two decades show that data integrity deficiencies appear in roughly 60 to 80 percent of pharmaceutical GMP warning letters. The pressure has not eased in 2026. FDA issued 303 drug warning letters in fiscal year 2025, a 59 percent jump from 190 the year before, and several early 2026 letters describe conduct that goes well beyond paperwork gaps: deliberate falsification, shared computer logins, missing or disabled audit trails, backdated records, and analytical records destroyed while investigators were still on site.

For pharmaceutical and over-the-counter (OTC) manufacturers, and for the contract laboratories that serve them, the message is direct. Inspectors expect every result that supports a release decision to be attributable, traceable, and complete from the moment it is created. When a site cannot demonstrate that, the finding is rarely treated as a minor observation. It is treated as a question about whether any of the company's data can be trusted.

This article explains what data integrity means under FDA expectations, why it dominates enforcement, what the 2026 warning letters reveal, the ALCOA+ controls that prevent these findings, and the practical steps companies should take now. It closes with how MFLRC supports data integrity gap assessments, audit-trail review, computer system validation (CSV), and CAPA programs across Canada, the United States, and Europe.

What Is Data Integrity, and Why Does FDA Care So Much?

Data integrity is the assurance that data is complete, consistent, and accurate throughout its entire life, from the moment it is generated to the moment it is archived and eventually retired. FDA cares because every batch release, stability conclusion, and out-of-specification (OOS) decision rests on data. If the data cannot be trusted, the product quality decision cannot be trusted either.

FDA set out its expectations in the 2018 final guidance, Data Integrity and Compliance With Drug CGMP: Questions and Answers. The guidance does not create new rules. It clarifies how existing current good manufacturing practice (CGMP) regulations in 21 CFR Parts 210, 211, and 212 already require reliable records, and it anchors those expectations in the ALCOA principle: data should be Attributable, Legible, Contemporaneously recorded, Original (or a true copy), and Accurate.

Over time the industry expanded ALCOA into ALCOA+, adding four further attributes: Complete, Consistent, Enduring, and Available. International regulators, including the MHRA, WHO, and the PIC/S inspectorates, use the same framework, which is why a data integrity programme built to ALCOA+ travels well across the FDA, EU, and Health Canada systems.

Why does it matter?

Data integrity is not an IT problem or a documentation nicety. It sits at the centre of patient safety. A falsified assay result can release a sub-potent or contaminated batch. A deleted chromatogram can hide a failing result. A shared login can make it impossible to know who actually performed a test. FDA treats these as quality system failures with patient-safety consequences, which is why findings escalate quickly.

How does it affect compliance?

A data integrity finding rarely stays contained. Once an investigator concludes that records were altered, deleted, or fabricated, the agency questions the reliability of the entire data set, not just the one record in front of them. That single conclusion can trigger a warning letter, an import alert, a consent decree, or in the most serious cases a criminal referral.

Why Data Integrity Dominates FDA Warning Letters

The 60 to 80 percent figure is striking, but it makes sense once you understand how inspections work. Investigators do not simply read the records a company hands them. They compare those records against raw data, audit trails, instrument clocks, sample weights, and the recollections of staff. Data integrity findings surface because the underlying CGMP regulations demand records that the inspection process is designed to test.

Three regulatory anchors do most of the work:

21 CFR 211.68 requires that automated and computerized systems have appropriate controls, including limited access and the ability to detect changes. This is where audit trail and access control findings live.
21 CFR 211.194 requires complete laboratory records of all data obtained during testing. The word complete is why deleting a single injection or re-testing into compliance is so dangerous.
21 CFR 211.22 requires an independent quality unit with authority to review and approve records. Failure to follow quality unit procedures, cited under 211.22(d), has been the most frequently cited drug CGMP observation for several years running.

For electronic records and signatures, 21 CFR Part 11 layers on requirements for validated systems, secure time-stamped audit trails, and unique user identification. When a site shares one login across an analytical team, or leaves audit trails switched off, it breaches both Part 11 and the predicate CGMP rules at the same time.

What the 2026 Warning Letters Reveal

Enforcement in fiscal year 2025 climbed sharply. FDA issued 303 drug warning letters, up 59 percent from the prior year, and the agency's drug centre reported that warning letters rose roughly 50 percent over the same period. Data integrity featured in about 15 percent of all FY2025 warning letters overall, but the rate was far higher in certain regions, reaching roughly 60 percent of letters issued to sites in some foreign jurisdictions.

The first quarter of 2026 has continued the pattern, and several letters stand out for the seriousness of the conduct described. Recurring themes include:

Deliberate falsification. Backdated entries, fabricated results, and testing performed after a record claimed it was already complete.
Shared logins and weak access control. Multiple analysts using a single account, so no result could be attributed to a specific person.
Missing or disabled audit trails. Systems configured so that deletions and changes left no trace, or audit trail review that was never performed.
Records destroyed during inspection. In the most serious cases, analytical records were torn up or discarded while FDA investigators were physically on site, and access to records was delayed or limited.

These findings appeared across both finished drug manufacturers and the contract laboratories and OTC producers that support them. The lesson for OTC and contract-service firms is that outsourcing testing does not outsource accountability. The brand owner remains responsible for the integrity of the data in its files.

A parallel signal came from the device side of FDA. In 2026 the agency announced it would reject testing data from two China-based third-party laboratories after inspections found pervasive failures in data management, quality assurance, and recordkeeping, including the failure to accurately record and verify key study data. Different centre, same principle: if the agency cannot trust how the data was generated, it will not accept the data at all.

ALCOA+ in Practice: The Controls That Prevent Findings

The ALCOA+ attributes are easy to recite and harder to operationalize. The table below translates each attribute into the specific control that an FDA investigator expects to see, and the failure mode that appears in warning letters when the control is missing.

ALCOA+ attribute	What it means	Control FDA expects	Common warning-letter failure
Attributable	Every record traces to a person and time	Unique logins, no shared accounts, e-signatures	One shared password for the whole lab
Legible	Records are readable and permanent	No pencil entries, no overwriting, durable media	Whited-out or overwritten results
Contemporaneous	Recorded at the time of the activity	Time-synced clocks, real-time entry	Results written hours or days later
Original	The first record, or a verified true copy	Retain raw data and source files	Only summary printouts kept, raw data deleted
Accurate	Free from error, reflecting the true result	Second-person review, calibrated instruments	Results edited to pass specification
Complete	All data, including repeats and failures	Capture every injection and OOS result	Failing injections deleted before review
Consistent	Logical sequence and date order	Controlled, sequential records	Backdated or out-of-order entries
Enduring	Preserved for the required retention period	Validated archives, protected backups	Records lost, corrupted, or destroyed
Available	Retrievable throughout the lifecycle	Indexed storage, readable on request	Access delayed or denied during inspection

Building these controls is rarely about buying more software. It is about configuration, procedures, and review discipline. Three areas deserve particular attention.

Audit trails must be turned on and reviewed

An audit trail that exists but is never reviewed is, in FDA's eyes, almost as bad as no audit trail at all. Procedures should define which audit trails are reviewed, by whom, how often, and what happens when an unexplained change is found. Audit trail review should be part of the routine analyst and quality unit review of results, not a once-a-year IT exercise.

Access control must remove shared accounts

Every user needs a unique identity with privileges matched to their role. Administrator rights that let an analyst delete data or change the system clock are a frequent root cause of findings. Separating analyst and administrator roles is one of the highest-value, lowest-cost controls a laboratory can implement.

Computer system validation must reflect real use

CSV demonstrates that a system does what it is supposed to do and prevents what it should not. Validation that ignores audit-trail functionality, user-access configuration, or data-retention behaviour leaves exactly the gaps inspectors probe. Validation should be risk-based and should be maintained as systems are patched and upgraded. MFLRC's pharmaceutical validation services cover process, equipment, cleaning, and computerized system validation.

Data Integrity Compliance Checklist

Use this checklist as a rapid self-assessment. A confident yes to every item is a reasonable indicator of readiness. Any no is a candidate for a documented gap and CAPA.

Every computerized system has unique user accounts, with no shared logins.
Administrator and analyst privileges are separated, and analysts cannot delete data or alter system clocks.
Audit trails are enabled on all GMP-relevant systems and cannot be switched off by users.
Audit trail review is defined in an SOP and performed as part of routine data review.
Raw data and original electronic files are retained, not just printed summaries.
All test data is captured, including repeat injections, aborted runs, and OOS results.
OOS and out-of-trend results are investigated under a documented procedure before any retest.
Computer systems are validated, and validation covers security, audit trail, and data retention.
Backups are validated, protected, and periodically tested for restoration.
A data governance policy assigns ownership and defines the data lifecycle.
Staff are trained on data integrity and on the consequences of falsification.
A data integrity risk assessment exists and is reviewed on a defined schedule.

Common Data Integrity Mistakes

Even well-run sites repeat a small set of avoidable errors. Recognizing them is the fastest route to prevention.

Treating data integrity as an IT topic. It is a quality and culture topic. Technology enables controls, but procedures, review, and leadership tone make them effective.
Reviewing results but never the audit trail. A passing result with an audit trail showing three deleted attempts is not a passing result.
Sharing logins for convenience. Speed today becomes an attributability finding tomorrow. There is no defensible reason to share GMP system credentials.
Testing into compliance. Repeating a test until it passes, while discarding the failures, is one of the clearest forms of falsification an inspector can identify.
Assuming contract labs carry the risk. The sponsor owns the data. Qualify contract laboratories, audit them, and review their raw data, not just their certificates of analysis.
Letting validation go stale. Systems get patched and upgraded. Validation that is not maintained no longer reflects the system in use.
Waiting for an inspection to find the gap. A proactive gap assessment costs a fraction of a warning letter response and keeps the company in control of the timeline.

How Does Data Integrity Connect to Health Canada and EU-GMP?

For companies operating across borders, the good news is that the core expectations align. Health Canada, the EU GMP system, the MHRA, and PIC/S all expect ALCOA+ data, validated computerized systems, secure audit trails, and a documented data governance approach. A site that builds a programme to satisfy FDA's 2018 guidance is well positioned for a Health Canada inspection or an EU-GMP audit, and the reverse is also true.

The practical advantage is efficiency. Rather than maintaining separate, jurisdiction-specific data integrity programmes, a regulated manufacturer can build one robust system and map it to each authority's expectations. This is exactly the kind of cross-border alignment that reduces duplicated effort and inspection risk.

Frequently Asked Questions

What percentage of FDA warning letters cite data integrity?

Industry analyses of warning letters over the past two decades indicate that data integrity deficiencies appear in roughly 60 to 80 percent of pharmaceutical drug GMP warning letters. In fiscal year 2025, data integrity featured in about 15 percent of all warning letters overall, but the rate was much higher for certain foreign sites, reaching around 60 percent in some jurisdictions.

What is ALCOA+ in pharmaceutical data integrity?

ALCOA+ is the framework regulators use to define reliable data. The original ALCOA attributes are Attributable, Legible, Contemporaneous, Original, and Accurate. The plus adds Complete, Consistent, Enduring, and Available. FDA, MHRA, WHO, and PIC/S all rely on this framework.

Does the FDA 2018 data integrity guidance still apply in 2026?

Yes. The 2018 guidance, Data Integrity and Compliance With Drug CGMP: Questions and Answers, remains FDA's primary data integrity guidance. It clarifies how existing CGMP regulations in 21 CFR Parts 210 and 211 apply to data, and it continues to underpin current enforcement.

What is the difference between an audit trail and access control?

An audit trail is the secure, time-stamped record of who did what to the data and when, including changes and deletions. Access control governs who is allowed to use a system and what they are permitted to do. Both are required. An audit trail without access control can be edited, and access control without an audit trail leaves no evidence of changes.

Are contract laboratories responsible for data integrity, or is the sponsor?

Both. The contract laboratory must maintain reliable data, but the sponsor or brand owner remains responsible for the integrity of the data in its regulatory files. FDA expects sponsors to qualify, audit, and review the raw data of the laboratories they rely on.

What should a company do first if it suspects a data integrity problem?

Contain the issue, preserve the records, and avoid any action that looks like concealment. Then conduct a documented investigation, assess the scope across affected products and time periods, and build a CAPA plan. Engaging an independent expert early helps demonstrate good faith and produces a defensible remediation record.

How MFLRC Can Help

Data integrity findings are preventable, and the most cost-effective time to act is before an inspection. MF License & Regulatory Consultants works with pharmaceutical, OTC, natural health product, and medical device companies across Canada, the United States, and Europe to build data governance that holds up under scrutiny. Our support includes:

Data integrity gap assessments. A structured ALCOA+ review of your systems, procedures, and records, with a prioritized findings report and remediation roadmap, delivered through our quality assurance services.
Audit-trail and access-control review, and inspection readiness through our audit services, including mock inspections and gap analyses aligned to FDA, Health Canada, and EU-GMP expectations.
Computer system validation (CSV). Risk-based validation that covers security, audit trail, and data-retention behaviour, maintained through patches and upgrades.
CAPA programmes. When a finding does occur, we help you investigate root cause, scope the impact, and build corrective and preventive actions that satisfy the agency and stick.
SOP development and training. Practical procedures and staff training that turn data integrity from a slogan into a daily habit.

MFLRC is led by a senior regulatory and quality professional with more than 20 years of experience across pharmaceutical, food, cannabis, and adjacent regulated sectors, and is security cleared by Health Canada. We support pharmaceutical and medical device manufacturers with practical deliverables, not generic checklists.

Book a Consultation

Conclusion

The 60 to 80 percent figure is not a statistical quirk. It reflects a simple truth: product quality decisions depend on data, and inspections are built to test whether that data can be trusted. The 2026 warning letters show that the most damaging findings are also the most preventable, namely shared logins, disabled audit trails, deleted results, and records destroyed under pressure. None of these require new technology to fix. They require unique accounts, audit trail review, complete data capture, validated systems, and a culture that treats honest data as non-negotiable.

Companies that build to ALCOA+ now will not only avoid the worst enforcement outcomes. They will also be ready for Health Canada and EU-GMP inspections at the same time. The work is achievable, and the return, measured in avoided warning letters, import alerts, and lost market access, is substantial.

Sources and References

U.S. FDA, Data Integrity and Compliance With Drug CGMP: Questions and Answers (December 2018). FDA guidance document

U.S. FDA, Warning Letters database. FDA Warning Letters

U.S. FDA, FDA Takes Action to Address Data Integrity Concerns with Two Chinese Third-Party Testing Firms (2026). FDA press announcement

eCFR, 21 CFR Part 11 - Electronic Records; Electronic Signatures. View regulation

eCFR, 21 CFR Part 211 - CGMP for Finished Pharmaceuticals. View regulation

MHRA, GXP Data Integrity Guidance and Definitions (Rev 1, 2018). View guidance

PIC/S, PI 041 Good Practices for Data Management and Integrity. PIC/S publications

RAPS, reporting on FY2025 FDA drug warning letter volumes and CDER enforcement trends (2025). RAPS

This article is provided for general information and does not constitute legal or regulatory advice. Regulatory requirements change. Verify current requirements with the relevant authority or a qualified consultant before acting.