Why a DNA data breach is much worse than a credit card leak
This week, DNA testing service MyHeritage revealed that hackers had breached 92 million of its accounts. Though the hackers only accessed emails and passwords — not actual genetic data — there’s no question that this type of hack will happen more frequently as consumer genetic testing becomes more and more popular. So why would hackers want DNA information specifically? And what are the implications of a big DNA breach?
One simple reason is that hackers might want to sell DNA data back for ransom, says Giovanni Vigna, a professor of computer science at UC Santa Barbara and co-founder of cybersecurity company Lastline. Hackers could threaten to revoke access or post the sensitive information online if not given money; one Indiana hospital paid $55,000 to hackers for this very reason. But there are reasons genetic data specifically could be lucrative. “This data could be sold on the down-low or monetized to insurance companies,” Vigna adds. “You can imagine the consequences: One day, I might apply for a long-term loan and get rejected because deep in the corporate system, there is data that I am very likely to get Alzheimer’s and die before I would repay the loan.”
There are plenty of players interested in DNA: researchers want genetic data for scientific studies, insurance companies want genetic data to help them calculate the cost of health and life insurance, and police want genetic data to help them track down criminals, like in the recent Golden State Killer case. Already, we lack robust protections when it comes to genetic privacy, and so a genetic data breach could be a nightmare. “If there is data that exists, there is a way for it to be exploited,” says Natalie Ram, a professor of law focusing on bioethics issues at the University of Baltimore.
Genetic testing sites are treasure troves of sensitive information. Some sites offer users the option to download a copy of their full genetic code while others don’t. But the full genetic code isn’t the most valuable information anyway. As Ram points out, we can’t just read genetic code like a book to gain insights. Instead, it’s the easy-to-access account pages with health interpretations that are most useful for hackers.
This is the data that could be valuable to insurance companies, employees, and police. In a world where this data is posted online, it could be used to genetically discriminate against people, such as denying mortgages or increasing insurance costs. (It doesn’t help that interpreting genetics is complicated and many people don’t understand the probabilities anyway.) In the future, if genetic data becomes commonplace enough, people might be able to pay a fee and get access to someone’s genetic data, too, the way we can now to access someone’s criminal background.
Of course, police and companies would not want to actively work with hackers. But it can be unclear where the data comes from, and there will always be underground markets through which this information could be bought and sold, or used as blackmail. “I can’t imagine that, once this information is hacked and put on the web, it would have more protection than before,” says Ram. “I don’t think we can say that simply because some data was the result of a hack, no one is ever going to touch it. That would be unrealistic.”
Another problem complicates this issue: These consumer tests are often wrong. Health reports can offer up false positives, and even ancestry tests can be wildly inaccurate. For example, some 23andMe tests have been approved by the FDA, but others haven’t, meaning there are other results that could be inaccurate.
So while it’s possible for someone to receive a credit report and easily dispute it, almost no one has the genetic literacy to find their information, understand it, and correct it. There aren’t enough genetic counselors as it is and a recent study showed that some primary care providers didn’t feel comfortable interpreting the results.
As the Equifax hack last year showed, there’s a lack of legislation governing what happens to data from a breach. And ultimately, a breach of genetic data is much more serious than most credit breaches. Genetic information is immutable: Vigna points out that it’s possible to change credit card numbers or even addresses, but genetic information cannot be changed. And genetic information is often shared involuntarily. “Even if I don’t use 23andMe, I have cousins who did, so effectively I may be genetically searchable,” says Ram. In one case, an identical twin having her genetic data sequenced created a tricky situation for her sister.
Ram thinks we need to consider whether genetic-testing companies have a greater ethical obligation to their customers, and seriously consider how to prevent and deal with breaches. For example, privacy protections for medical data exist and are covered under the Health Insurance Portability and Accountability Act. For now, results from consumer genetic testing aren’t covered under HIPAA, but one option could be to change the law so that these results are included, too. “We put a lot of trust in these consumer companies that are promising to help us understand who we are genetically” says Ram. But there a lot of questions about how much they can teach us and there’s a lot of big questions about what kinds of caveats they really ought to make sure their users understand what they’re looking at, and how they can be protected.”