Mail Order DNA Testing – Protecting Your Genetic Data

Lately I have been getting bombarded with social media ads tailored toward DNA collection services. Why is this? My best guess is a simple search for anything diet/exercise/health related on my end has now triggered an onslaught of advertisements for companies that, if you give them a DNA sample, will use the genomic data to customize an exercise or diet plan specifically for your genetic typing. There are also companies that will take your sample and test for over 90 different food allergies. And of course, we have all heard of companies such as 23andMe and Ancestry that can use your sample to tell you more about your heritage and health predispositions. More and more of these companies appear to be popping up, ready to take your DNA and provide you with all the answers you could imagine. Tempting…

What Can Companies and Criminals Do With Your Genetic Data?

However, this has rapidly ushered in new data security and privacy risks related to how our genetic information is stored, transmitted, and shared. When discussing this topic, I often get a snide remark asking, “Why should I care? I’m not a wanted criminal, so what does it matter if someone gets ahold of my genetic data?”. Well, people generally care if their credit card information, identity, or even home address is exposed to criminals. What do all those things have in common? They can all be changed. On the other hand, your DNA is permanent; you can never change it, even after it is leaked to criminals. What could be done with this data? There are growing concerns that a greater accessibility to genetic data and the information surrounding health predispositions may lead to a world where insurance companies or loan providers could begin screening applicants based on this data. If an insurer can uncover an increased chance of cardiovascular disease when looking at your genetic data, will they then charge you more for life insurance or even deny you coverage? If a mortgage company can find out that you have a predisposition to Alzheimer's, will they then deny you a loan in fear that you will not be able survive to pay it off? The Genetic Information Nondiscrimination Act (GINA) of 2008 prohibits health insurance companies from using genetic information to make coverage or rate decisions. However, GINA protections do not extend to life insurance, disability insurance or long-term care insurance. While it is highly unlikely that legitimate insurance and banking firms would try to obtain stolen data from criminals, the risk that it falls into their hands does exist. There have also been studies (and even a mention in Law and Order: SVU) on the possibility to fabricate or “copy” someone’s DNA to frame them for a crime. We will not dive down that rabbit hole, but it does deserve an honorable mention when evaluating the risks relating to your genetic data being stolen.

Genetic data used in medical settings is protected by the Health Insurance Portability and Accountability Act (HIPAA) and there are clear controls on how it can be handled or shared. However, DNA testing for direct-to-consumer test kits are still brand-new and legal policies that govern the confidential, private use of consumer data are still being developed. As it stands, the only governing body for direct-to-consumer genetic testing is the Federal Trade Commission (FTC) , and there are less protections afforded by the FTC. Only then, if a company violates its own security policies, can the FTC intervene.

Protect Your DNA From Corporate Entities

So, how can consumers ensure their genetic data is protected? For The Office fans out there, it is like the episode when Darryl comments on the safest way to go skiing… don’t ski! What is the safest way to protect your privacy? Don’t send your bodily fluids in the mail to a direct-to-consumer company. With that being said, there are steps consumers can take to utilize these services while minimizing their risks. First off, read all the fine print in the companies’ privacy policies before you decide to opt in. In my experience, when speaking to people who have provided DNA to various companies in the hopes of gathering more information about themselves, the idea of reading through privacy/security policies, let alone dissecting all of it, is not even a blip on the radar. What should we be looking for in the fine print? Can you delete the results from the company’s database? Who owns your genetic data? Is it protected forever?

Can DNA companies sell your data?

Genetic testing companies often come with extensive terms and conditions. Some of these might grant the company permissions to share your DNA data with third parties or even publicize it. However, the key takeaway is that the power ultimately rests with the users.

People's apprehensions about genetic testing fall on a spectrum: while some are very cautious about their data privacy and would prefer anonymous genetic testing, others might be more relaxed. Fortunately, many testing companies cater to this diversity of concerns. They typically offer opt-in or opt-out choices for various services. For instance, if you're not comfortable receiving medical data, you can choose to exclude it. For those prioritizing anonymity, using a pseudonym is often an option. Some companies even allow users to request the deletion of their sample and results after the testing. And for those wary of third-party research access to their data, there are usually options to opt-in or out.

When it comes to the medical implications of these tests, most companies provide data that isn't primarily medical. However, for the few that offer medically relevant data, there are legal restrictions about who can access that information.

An essential legal framework to be aware of is the Genetic Information Non-discrimination Act (GINA). This act ensures employers and health insurers cannot request genetic data. However, it does not currently offer the same protections for life insurers or long-term care insurers. An unanswered question remains; whether these insurers might, in the future, ask individuals if they've undergone genetic testing.

Consumers should also investigate what safeguards a DNA testing company has in place to prevent re-identification. Re-identification is when someone correctly matches your anonymous genetic data with your personal information. Popular testing service 23andMe has released the following statement regarding the risk of re-identification, “To protect against re-identification, we strip customers’ personally identifiable information from their genetic information, storing the two sets of data in separate, walled-off computing environments.” Storing personal identifiable information and genetic data in a separate environment helps protect against a potential breach or hack.

23andMe Breach

On October 6th, 2023, the well-known genetic testing company, 23andMe, shed light on a troubling 23andMe breach. They verified that a segment of its user data had been illicitly accessed. Rather than a system-wide 23andMe hack, attackers pinpointed and guessed the login credentials of some users, tapping into a feature dubbed "DNA Relatives".

The gravity of the situation deepened when BreachForums exhibited an initial data sample. Here, hackers asserted that it contained 1 million unique data points centered on Ashkenazi Jews. Further scrutiny revealed that the 23andMe data leak also encompassed hundreds of thousands of users with Chinese ancestry.

This 23andMe user data stolen was promptly put up for sale, priced between $1 and $10 per profile. The compromised data, while not exposing raw genetic info, did offer a peek into details such as name, birth year, and general ancestry indicators.

23andMe was quick to respond, underscoring that their main systems hadn’t been directly infiltrated. They urged users to bolster their security practices, emphasizing the use of unique passwords. The company also shed light on the "credential stuffing" method the attackers might have employed, where they leverage previously leaked credentials from other breaches.

A point of intrigue in the 23andMe hack was the claim of celebrities like Mark Zuckerberg, Elon Musk, and Sergey Brin being part of the breach. The veracity of these claims is still under the lens, with some data inconsistencies fueling doubts.

How to Safely Store Your Genetic Data

With genetic testing services, users have the option to download the raw data and it is often sent unencrypted in a text file via email. Unencrypted email is not a secure way to store your genetic data. If a malicious actor were able to compromise your email account through phishing or other means, they would now have access to the unencrypted DNA file sitting in your inbox. Once the raw data is downloaded by the consumer, it is no longer considered protected by any of the company’s security policies. If consumers decide to download their genetic data, it is important to store that data somewhere that is not easily accessible in the event of a compromised account or system. Storing the file on an external USB flash drive and deleting the email afterwards would be ideal.

Finally, consumers need to take the necessary steps to create a strong password for their accounts on the genetic testing services’ platforms. Password best practices should be followed, and multi-factor authentication (MFA) should be enforced that requires the user to give two or more pieces of evidence before allowing access to their account and data.

It is simple probability that as more people contribute to genetic testing and data analysis tools become sharper and more advanced, the risk potential also elevates. The takeaway, as with anything in life, is that it is best to make informed decisions and to decide whether accepting the risk outweighs the possible future consequences.