The recent data breach at 23andMe, affecting millions of users, isn't just a technological hiccup. It's a blaring alarm about the lax regulations governing our most personal information: our genetic code. As a long-time journalist covering tech, I would say that I understand both the promise of and peril posed by technology. This breach underscores the immediate need for tougher congressional oversight to protect consumer privacy and security.
The allure of personalized medicine and discovering our heritage has been the driving force behind the booming industry of direct-to-consumer genetic testing companies. This convenience doesn’t come without costs. First, we are handing these companies unfettered access to this very sensitive data. If it does fall into the wrong hands, the effects could lead to discrimination, identity theft, or worse.
The 23andMe breach occurred when attackers employed credential stuffing methods. Their success can probably be attributed to shortcomings in multi-factor authentication (MFA) and poor threat detection technology. This highlights a glaring vulnerability: many companies, even those handling highly sensitive data, aren't employing adequate security measures. It’s like keeping the door to your bank vault wide open.
My own experience with online security has taught me a valuable lesson: complacency is the enemy. Equally as egregious, I’ve experienced first-hand how easy it is for outdated passwords and general lack of vigilance to be the vectors for compromised accounts. This isn’t only about keeping your email account safe—it’s about protecting your digital identity.
Stronger federal requirements are needed to guarantee straightforward privacy notices. Consumers deserve to know upfront and with complete transparency how their genetic data is being collected, utilized and shared. Today’s approach too frequently leaves consumers in the dark behind pages of dense, confusing terms of service that barely anyone reads. Regulations must require that explanations be in plain language so that all Americans can easily understand them and make informed decisions.
Informed consent, perhaps the most essential element. Consumers need to be aware of these potential risks before their genetic data is collected, used, or shared. They need to see the value that accompanies such data. This means understanding the risk of unwanted data breaches revealing sensitive health data, the risk of discrimination, and the impact on family members. While guidance from the NHGRI Informed Consent Resource can be invaluable, these principles must be enshrined into legislative law.
Strong data privacy protections are a must. These companies will need to make significant investments in cybersecurity infrastructure to ensure that genetic data can’t be improperly accessed, stolen, or otherwise misused. This means enforcing strong encryption, frequent security audits and proactive threat monitoring systems. A reactive approach just won’t cut it.
Point two — limit data sharing Sharing genetic data with third parties such as pharmaceutical companies and insurance providers introduces significant ethical risks. Surveillance medical practice compromises individual privacy and autonomy. Regulations must limit this kind of exchange, mandating clear consumer consent before any data is shared or sold.
Consumers should have the right to access, correct, and delete their genetic data. They need to have the ability to opt-out of data sharing and marketing as well. That degree of control is necessary to make sure that people remain in charge of their own data.
The Genetic Information and Nondiscrimination Act of 2008 (GINA) was an important step in the right direction. It doesn’t go nearly far enough. Join us as we advocate for expanding GINA to encompass a broader swath of genetic information. We need to address these new forms of discrimination that are popping up.
Perhaps a better way would be to broaden the application of the HIPAA law to bring in companies such as 23andMe. This would have the effect of bringing genetic testing services under the umbrella of other healthcare privacy regulations, thus providing consumers with increased protection.
New state data protection regulations are set to disrupt the genetic testing industry. They will require MFA to be required across all industries, similar to the requirement within the financial services industry. MFA provides another layer of security, working to prevent those hackers from breaking into accounts and causing damage.
In addition to government regulation, individual consumers can and should take steps to proactively safeguard their genetic data. Before deciding on a genetic testing service, understand the company’s practices for safeguarding personal data, maintaining confidentiality and ensuring informed consent. Look for third-party certifications such as HIPAA compliance or ISO 27001. These certifications demonstrate that the company has implemented robust data protection policies.
So be sure to read the terms of service thoroughly. Consider the company’s policies on who they share data with, where they store it and how they plan to use it. To guard against fraud, use a secure payment method like a credit card or PayPal account that can provide an extra layer of protection for your payment information. Protect your data when using technology and apps. Other companies may sell your genetic data to third-party entities without your agreement.
The World Medical Association (WMA) explicitly requires that donor subjects be made aware of how their genetic data will be retained and utilized. This means training them on the possibilities for future research applications of their data. This highlights the importance of transparency and constant dialogue between industry and the public.
Broad consent provides greater benefits for the reuse of genetic samples in future research studies. This offers a great deal of flexibility and adaptability in how the data can be used. This flexibility should not come at the expense of individual privacy and autonomy.
The 23andMe breach should serve as a wake-up call and opportunity. It’s long past time to look further than self-regulation and take meaningful action to protect all sensitive genetic data with comprehensive, enforceable regulations. The future of personalized medicine is counting on it. We can’t let the promise of scientific progress be paid for by our privacy and security as individuals.
