By Ningyi Sun

When you fork out less than USD 100 to learn about your ancestry by sending your spit to a genetics company, you may not be the only owner of this highly sensitive data about your health and identity. Customers’ genetic information, if leaked, could fall into the hands of insurance companies or banks, who may use the data to deny one’s rights to healthcare. Moreover, one can still be traced even without signing up for a DNA test if a family member who has certain traits in their genome shares their information.

DNA testing companies generally adopt two policies to protect their clients’ genomic data. First, they separate personal information like email addresses and passwords from the DNA data and store them in different systems. Second, genetics companies will de-identify the genetic data, meaning they remove personal information from corresponding DNA data, before sharing and selling them to a third party. Nevertheless, anonymized data do not necessarily protect a person’s identity. Researchers say by cross-referencing with voter lists and census that offer data on geography, sex and age, a significant portion of participants in DNA tests can be re-identified.

In June 2018, the online DNA testing platform My-Heritage announced that its system had suffered a breach that affected the email addresses and passwords of 92 million users. The company stated that no genetic data was compromised in the incident thanks to their practice of storing personal information and genetic data separately, and that two-factor authentication would be installed soon.

However, even though companies are adopting better encryption policies by implementing dual or multi-factor authentication systems, whereby a customer has to identify him/herself by providing a pin or phone number before downloading raw genetic data, companies like 23andMe declared that the onus of protecting data falls on customers as soon as the raw data leaves the company’s security walls. This means that if the data is leaked, banks, employers, or insurance companies, can get ahold of the information of what makes you, you.

One can still be traced if a family member participates in a DNA test. According to recent research, an investigation can allow for accurate identification of distant relatives—even locating a second or third cousin match. A case in point is the successful tracking of the Golden State Killer, in which the FBI identified the suspect by matching up the DNA information they extracted from a crime scene with a third-cousin of the suspect on the genetics open platform GEDmatch.

Current regulations to safeguard personal genetic information include the Health Insurance Portability and Accountability Act of 1996 (HIPAA), amended in 2013 to define genetic information as health information; and the Genetic Information Nondiscrimination Act (GINA) of 2008. While both sets of laws ban the use of disclosed genetic information for underwriting purposes when it comes to group health plans, neither prohibits the use of genetic data to modify long-term healthcare plans. Furthermore, health insurance providers can also obtain genomic data by requesting that customers conduct health risk assessments that are unrelated to healthcare plans.

California is a pioneer in regulating businesses that generate revenues by selling personal data by providing citizens with the right to control their personal information through the California Consumer Privacy Act (CCPA) of 2018, which will go into effect in 2020. It is the first state in the United States to follow the European General Data Protection Regulation (GDPR). This “American GDPR” requires businesses covered in the CCPA to carry out reasonable procedures to protect the personal information of California residents that were gathered for lucrative purpose. Moreover, the CCPA grants consumers the right to request information about what kind of personal data is being collected by the business, to opt out of sale of personal data to a third-party, and to request that the business delete their personal information if they wish, similar to a clause in the GDPR known as the “Right to be Forgotten.”

However, the CCPA, together with the HIPAA and GINA, does not cover de-identified data collected or shared by businesses. DNA testing companies such as My-Heritage and 23andMe usually de-identify customers’ genomic data before they share them with third parties such that the data are not under the purview of the above-mentioned laws. Therefore, current regulations do not necessarily prevent health insurers from obtaining a customer’s genetic data and using it against its owner’s health interests. Furthermore, a person’s identity can still be traced and revealed with de-identified genomic data that is sold or shared by genetics companies.

Most customers of genetics companies seem to be unaware of or dismiss the abovementioned risks. The security breach against My-Heritage has not slowed down the business at all. In fact, more people have taken part in the test and the number of customers in the company’s database has increased to more than 2.5 million by April 2019. People continue looking forward to receiving their DNA-based reports to draw up family trees or find new relatives living in another city or country. Consumers often quickly gloss over the privacy terms of these genetics websites after purchasing the service, if they look at them at all.

Therefore, one should weigh the risks of a DNA test to his/her own and family members’ privacy before signing up for one out of curiosity. After all, as a digital safety expert correctly pointed out, your credit card can be readily cancelled but your DNA cannot be changed! Once lost, there is not much you can do.

Image: "小小DNA01" by 阿簡 is licensed under CC BY-NC-SA 2.0