Personal Health Information, Data Sharing, Privacy & Security
Should I worry about giving my DNA to labs that do genetic tests?
With an October 2023 update due to the 23andMe breach
The internet has made DNA testing a big global business. In the United States and Europe, millions of people have sent samples of their saliva to commercial labs in the hopes of learning something new about their personal health or lineage. Ancestry.com, 23andMe, MyHeritage, and FamilyTreeDNA are all industry leaders that sell their services online, share test results on websites, and even provide guides on how to find relatives in phone directories or share results on social media. They frequently claim ownership of your genetic information and sell access to their databases to large pharmaceutical and medical technology firms.
It's part of a troubling trend of corporations acquiring personal data about people and acting in their own best interests, not yours, in terms of internet health. So, test results can lead to crucial discoveries about your personal health, and they can also be shared for public-interest scientific research. But, before you give in to your curiosity, consider the following 23 reasons to keep your DNA private — one for each pair of chromosomes in a human cell.
Subjective: Consumers appear to be content passing on their personal information to firms who aggregate and monetize it in the age of Facebook and Google. Consumers are increasingly paying to hand over their genetic code, their most sensitive individual identity, to DNA testing companies that monetize it in new ways.
Objective: A strong case is made for consumers to be aware of, if not extremely cautious when submitting their DNA to any consumer-facing genetic testing companies. Examples of potential issues include risks related to the potential of having such large genetic databases hacked, secondary use of consumer data, the accuracy of testing results, and open questions as to what happens when these types of companies are sold or reorganized in terms of consumer rights. A recent study published in PLoS ONE identified that many people are not overly concerned about exposure of their DNA data, but are distrustful of for-profit entities trying to use their information for profit. Recent articles outlined in the links below identify that genetic data is being used for pharmacy-related immunocology research. This is not necessarily bad, in fact, it could be great, but it is still important to understand the downstream use of your data.
Assessment: We do not yet fully understand the implications of having one's genetic information compromised. At the very least it is one of the most unique personal identifiers out there. Does that mean that these consumer DNA testing companies necessarily have bad intentions? Of course not, but this is a relatively new field and so it is important for us as consumers to be very well-informed, before providing informed consent. The McClatchy article makes the important point that “Ancestry.com customers should also know they’re giving up the genetic privacy of themselves and their relatives.”
Plan:
Take the time to read the full McClatchy article. It provides a good outline of potential concerns with sharing your DNA profile. As suggested, before sending off your spit sample, be sure to read and understand Ancestry's entire privacy statement. Talk to your family about it. This affects them as well. Save any privacy and consent forms that you agree to in a safe place so that you have a copy of the terms at that time. Be sure to include the date in which they were signed.
Read on to find out about recent breach information related to 23andMe
Genetic profiling company 23andMe is currently investigating a data scraping incident where private user information was stolen from its website. The confirmation came five days after an undisclosed entity advertised the sale of private data of millions of 23andMe users on an online crime forum. The alleged stolen data included details like origin estimation, phenotype, health records, photographs, and other identification data. Speculation arose that the CEO of 23andMe knew about this breach two months prior and had kept it under wraps. However, in response, a representative of the company contested that there's no proof of 'health information' being part of the posted data and currently, these are just unverified claims.
The breach was attributed to data scraping, a method where attackers systematically extract smaller bits of information available to individual users, ultimately compiling large volumes of data. The attackers had unauthorized access to specific 23andMe accounts, which had the DNA relative feature activated. This feature lets users find potential relatives by viewing the basic profile details of others who have also opted into the feature. Officials from 23andMe emphasized that there isn’t any evidence suggesting a direct breach in their security systems. Instead, they suspect the login credentials might have been gathered from data leaks from other platforms where users reused their passwords. It was highlighted that the attackers have, in all likelihood, violated the company’s terms of service. Reports have emerged claiming that the data dump consists of 13 million pieces of information, with specifics regarding the nature and number of affected users still undisclosed. However, notable mentions include a leaked database of 1 million users of Ashkenazi descent and another 300,000 users of Chinese descent, all of whom had activated the DNA relative feature.
Recent events highlight the inherent risks associated with storing genetic data online. In 2018, another genetic data company, MyHeritage, faced a breach where over 92 million users' email addresses and passwords were compromised. The same year, officials in California utilized a different genealogy site, GEDMatch, to locate a suspect related to murders that had taken place 40 years prior. The suspect was identified not through his DNA but a relative's who had submitted a sample to GEDMatch. Storing genetic information online offers benefits like tracing lineage and finding relatives, but it also poses significant privacy threats. Even with strong passwords and two-factor authentication, as advocated by 23andMe, users' data remains vulnerable. The only foolproof way to safeguard it from online theft is to avoid online storage altogether.
More links
- Genetic paparazzi are right around the corner, and courts aren’t ready to confront the legal quagmire of DNA theftWe are law professors who study how emerging technologies like genetic sequencing are regulated. We believe that growing public interest in genetics has increased the likelihood that genetic paparazzi with DNA collection kits may soon become as ubiquitous as ones with cameras.
- 23 reasons not to reveal your DNAIn terms of internet health, it’s part of a worrying trend of corporations to acquire personal data about people and act in their own best interests, not yours. OK, so test results can also lead to important discoveries about your personal health, and can also be shared for non-profit biomedical research in the public interest. But before you give in to your curiosity, here are 23 reasons not to reveal your DNA – one for each pair of the chromosomes in a human cell.
- All Those 23andMe Spit Tests Were Part of a Bigger PlanCEO Anne Wojcicki wants to make drugs using insights from millions of customer DNA samples, and doesn’t think that should bother anyone.
- Should You Give the Gift of a Genetic Testing Kit?DNA testing kits are popular holiday gifts. But they come with privacy risks and can lead to unwelcome surprises.
- A link to the original article on McClatchy DC BureauIn the age of Facebook and Google, consumers seem comfortable surrendering their personal information to corporations that aggregate it and monetize it. But Ancestry and other DNA testing companies have added an audacious tweak: Consumers are now paying to hand over their genetic code, their most sensitive individual identifier, to companies that could monetize it far into the future.
- A link to the article titled Researchers Want To Link Your Genes And Income—Should they?Along with a team of European collaborators, Hill sifted through the UK Biobank data to find about 286,000 participants who had answered a survey question about household income. Using that information they conducted something called a Genome Wide Association Study, where they looked at 18 million places in the genome to see which ones matched up with higher paychecks.
- A systematic literature review of individuals’ perspectives on privacy and genetic information in the United StatesConcerns about genetic privacy affect individuals’ willingness to accept genetic testing in clinical care and to participate in genomics research. To learn what is already known about these views, we conducted a systematic review, which ultimately analyzed 53 studies involving the perspectives of 47,974 participants on real or hypothetical privacy issues related to human genetic data.
- Direct-to-Consumer Genetic Testing and Potential Loopholes in Protecting Consumer Privacy and NondiscriminationResults from a qualitative study revealed insights about consumer expectations of DTC genetic testing data privacy in general. Through interviews with 13 DTC genetic testing consumers, Haeusermann et al found that perceptions of privacy risks were dependent on whether individuals felt they belonged to vulnerable social groups that are more exposed to discrimination.
- How do you control where your DNA data resides and how it is shared online?It is the assessment from this article that at this time it is very difficult to understand and control who has access to your genetic data. There are not enough privacy protections in relation to what companies who analyze your genetic data are then able to do with that data after they have gathered it.
- A link to the article titled, Genes for Good: Engaging the Public in Genetics Research via Social MediaThe Genes for Good study uses social media to engage a large, diverse participant pool in genetics research and education. Health history and daily tracking surveys are administered through a Facebook application, and participants who complete a minimum number of surveys are mailed a saliva sample kit (“spit kit”) to collect DNA for genotyping.
- DNA test kits: Consider the privacy implicationsCompanies are advertising at-home DNA test kits that promise intriguing insights into your past (“Where did my forebears come from?”) – and your future (“Do I have the genetic markers for certain medical conditions?”). If you’re thinking about buying a kit for yourself or a family member, the FTC has advice about protecting the privacy of the sensitive information that DNA tests reveal.
- DNA Test Service Exposed Thousands of Client Records OnlineDNA-testing service Vitagene Inc. left thousands of client health reports exposed online for years, the kind of incident that privacy advocates have warned about as gene testing has become increasingly popular.
- Direct-to-Consumer DNA Testing Company Exposed Personal Information OnlineAn article from the HIPAA Journal