Mail Order DNA Testing – Protecting Your Genetic Data

Lately I have been getting bombarded with social media ads tailored toward DNA collection services. Why is this? My best guess is a simple search for anything diet/exercise/health related on my end has now triggered an onslaught of advertisements for companies that, if you give them a DNA sample, will use the genomic data to customize an exercise or diet plan specifically for your genetic typing. There are also companies that will take your sample and test for over 90 different food allergies. And of course, we have all heard of companies such as 23andMe and Ancestry that can use your sample to tell you more about your heritage and health predispositions. More and more of these companies appear to be popping up, ready to take your DNA and provide you with all the answers you could imagine. Tempting…

However, this has rapidly ushered in new data security and privacy risks related to how our genetic information is stored, transmitted, and shared. When discussing this topic, I often get a snide remark asking, “Why should I care? I’m not a wanted criminal, so what does it matter if someone gets ahold of my genetic data?”. Well, people generally care if their credit card information, identity, or even home address is exposed to criminals. What do all those things have in common? They can all be changed. On the other hand, your DNA is permanent; you can never change it, even after it is leaked to criminals. What could be done with this data? There are growing concerns that a greater accessibility to genetic data and the information surrounding health predispositions may lead to a world where insurance companies or loan providers could begin screening applicants based on this data. If an insurer can uncover an increased chance of cardiovascular disease when looking at your genetic data, will they then charge you more for life insurance or even deny you coverage? If a mortgage company can find out that you have a predisposition to Alzheimer's, will they then deny you a loan in fear that you will not be able survive to pay it off? The Genetic Information Nondiscrimination Act (GINA) of 2008 prohibits health insurance companies from using genetic information to make coverage or rate decisions. However, GINA protections do not extend to life insurance, disability insurance or long-term care insurance. While it is highly unlikely that legitimate insurance and banking firms would try to obtain stolen data from criminals, the risk that it falls into their hands does exist. There have also been studies (and even a mention in Law and Order: SVU) on the possibility to fabricate or “copy” someone’s DNA to frame them for a crime. We will not dive down that rabbit hole, but it does deserve an honorable mention when evaluating the risks relating to your genetic data being stolen.

Genetic data used in medical settings is protected by the Health Insurance Portability and Accountability Act (HIPAA) and there are clear controls on how it can be handled or shared. However, DNA testing for direct-to-consumer test kits are still brand-new and legal policies that govern the confidential, private use of consumer data are still being developed. As it stands, the only governing body for direct-to-consumer genetic testing is the Federal Trade Commission (FTC) , and there are less protections afforded by the FTC. Only then, if a company violates its own security policies, can the FTC intervene.

So, how can consumers ensure their genetic data is protected? For The Office fans out there, it is like the episode when Darryl comments on the safest way to go skiing… don’t ski! What is the safest way to protect your privacy? Don’t send your bodily fluids in the mail to a direct-to-consumer company. With that being said, there are steps consumers can take to utilize these services while minimizing their risks. First off, read all the fine print in the companies’ privacy policies before you decide to opt in. In my experience, when speaking to people who have provided DNA to various companies in the hopes of gathering more information about themselves, the idea of reading through privacy/security policies, let alone dissecting all of it, is not even a blip on the radar. What should we be looking for in the fine print? Can you delete the results from the company’s database? Who owns your genetic data? Is it protected forever?

Within the terms and conditions, consumers should look for a list of what they can opt into or out of. One example is using your data in research studies, which you can later opt-out of. However, once that data is sold, it is highly unlikely that you will be able to delete that data from various other third parties, and the industry appears to be expanding. Another example is how the company stores your sample. Genetic testing companies can go back and test the sample in the future as advancements are made but will often give consumers a choice as to whether they want their sample kept or destroyed after it is initially tested.

Consumers should also investigate what safeguards a DNA testing company has in place to prevent re-identification. Re-identification is when someone correctly matches your anonymous genetic data with your personal information. Popular testing service 23andMe has released the following statement regarding the risk of re-identification, “To protect against re-identification, we strip customers’ personally identifiable information from their genetic information, storing the two sets of data in separate, walled-off computing environments.” Storing personal identifiable information and genetic data in a separate environment helps protect against a potential breach or hack.

With genetic testing services, users have the option to download the raw data and it is often sent unencrypted in a text file via email. Unencrypted email is not a secure way to store your genetic data. If a malicious actor were able to compromise your email account through phishing or other means, they would now have access to the unencrypted DNA file sitting in your inbox. Once the raw data is downloaded by the consumer, it is no longer considered protected by any of the company’s security policies. If consumers decide to download their genetic data, it is important to store that data somewhere that is not easily accessible in the event of a compromised account or system. Storing the file on an external USB flash drive and deleting the email afterwards would be ideal.

Finally, consumers need to take the necessary steps to create a strong password for their accounts on the genetic testing services’ platforms. Password best practices should be followed, and multi-factor authentication (MFA) should be enforced that requires the user to give two or more pieces of evidence before allowing access to their account and data.

It is simple probability that as more people contribute to genetic testing and data analysis tools become sharper and more advanced, the risk potential also elevates. The takeaway, as with anything in life, is that it is best to make informed decisions and to decide whether accepting the risk outweighs the possible future consequences.