A researcher, who delved into the security implications of DNA technologies, explains that the increasingly lucrative market for data brokers may simultaneously amplify breach concerns in the health care sector.
Michael Goetzman’s research was, in part, inspired by the 1997 film “Gattaca,” which presents a future world where genetic discrimination is made possible through reliance on a genetic registry database. In the real world, employers and health insurers are prohibited by the Genetic Information Nondiscrimination Act (GINA) from requesting or purchasing genetic information which can be used for discrimination, but Goetzman explained that major privacy concerns remain.
On May 14, the Wisconsin-based security researcher, who also works for a nonprofit in the healthcare industry, will present on this very topic at Thotcon, a hacking conference in Chicago. According to an abstract on the Thotcon website, his talk will inform the community that the “dystopian future” depicted in “Gattaca” is here.
As an experiment, Goetzman asked 17 of his family members if they would use popular genetic testing kits on the market. All agreed, Goetzman told SCMagazine.com in an interview, and used autosomal DNA testing services (available to both males and females) provided through 23andMe, Ancestry.com or Family Tree DNA, Goetzman said. As an added bonus, the researcher also asked 25 males with his last name to participate in the experiment, to see if they were related to him by undergoing Y-DNA testing (which focuses on the Y chromosome passed down in males).
Goetzman said that the information gleaned specifically from his family members’ DNA tests surprised everyone, including him.
“It helped me solve the 92-year-old family mystery on my adopted grandma,” he said. “We found her biological parents. And that wasn’t even an original goal – I thought it was impossible.”
But the family also learned things that “spooked” them, he added.
By turning saliva samples over to the companies, the service providers were able to predict individuals’ hair color, eye color and other physical traits (even constructing an individual’s face) which, he noted, could be of use to law enforcement seeking out similar information from genetic data collectors. The DNA data also allowed companies to determine genetic susceptibility to certain medical conditions or illness, he explained.
“What’s keeping this data, which is essentially text files dropped on your computer, from being disclosed?” Goetzman said. “I’m wondering how many companies or governments contain a mass database of DNA and what should happen if that leaked out onto the internet?” he said.
Genetic information is covered under HIPAA (it is categorized as “health information”), but Goetzman pointed out continued data breaches in the health care sector that have exposed lax security measures taken with patient information.
“Then, there are rules around nondiscrimination [regarding] DNA, like GINA in the United States, but it doesn’t apply to life insurance, disability and long-term care,” Goetzman noted.
Deborah Peel, a physician who founded the non-profit Patient Privacy Rights, and started the annual International Summit on the Future of Health Privacy, now in its fifth year, told SCMagazine.com in an interview that, while some protections exist for genetic information, regulations, like GINA, have been criticized for being “toothless” – particularly in an age where companies have various means of obtaining health data.
“It doesn’t keep people from really getting the information,” Peel said. “For instance, once blood or tissue is separated from your body, they can do whatever they want with it. So we have no idea how many biobanks, hospitals or laboratories sell this.”
It’s just a matter of time, she said, before “anyone that wants to do research is going to be able to get tissue or blood from you and use those materials for a study, or to develop a product or service, without you even knowing that they have your genetic material.”
California-based company 23andMe, which maintains the largest autosomal DNA database, often comes up in such discussions about genetic data collection.
In January, Forbes reported that 23andMe struck a $60 million deal with pharmaceutical company Genentech, to make its database (gleaned from customers purchasing DNA kits) available to the Swiss pharma giant. Individuals purchasing 23andMe’s DNA kits agreed to donate their anonymized data for research, but since Genentech was interested in analyzing customers’ data on an individual level, 23andMe was required to ask for additional consent from consumers.
The deal comes at the tail of turbulence between 23andMe and the Food and Drug Administration (FDA), which barred the company from selling its genetic testing kits in 2013, but eventually authorized its marketing of a Bloom Syndrome direct-to-consumer genetic carrier test last month. The Bloom Syndrome test is used to “determine whether a healthy person has a variant of a gene that could lead to their offspring inheriting the serious disorder,” an FDA release said.
Peel said that another critical aspect of the genetic data privacy discussion revolves around its far-reaching impact, since it involves more than an “informed decision about yourself” – and your data.
“It’s not just you – you have the potential of putting everyone in your family at risk of various kinds of consequences that have to do with discrimination and other crimes,” she told SCMagazine.com.
In a statement, the Health Information Trust Alliance (HITRUST) told SCMagazine.com that, in its opinion, “the use and disclosure of genetic information is generally more restrictive than your standard ‘vanilla ePHI’ [electronic protected health information].” Restrictions, such as GINA, which were later incorporated into HIPAA with the Omnibus Final Rule in 2013, have helped see to that, the organization explained.
“Various states also have rules regarding the use and disclosure of genetic information, not all of which is directly related to healthcare,” HITRUST offered.
The alliance said that, while it’s possible for genetic information to be “abused by a healthcare entity, it’s not likely,” but that third-party access to such information could present a problem.
“However, it’s also possible that a non-health organization who has access to DNA data, such as in a genealogical database, could put it at risk,” HITRUST said.