DNA testing company moves raise privacy concerns
As genetic testing companies are increasingly pivot to medical and pharmaceutical companies, a regulatory gap in the protection of consumer privacy is prompting calls for change and even legislative proposals.
Home DNA testing kits from companies like 23andMe and Ancestry have allowed customers to trace their heritage and reconstruct family trees. The lack of strict data privacy protections has enabled these companies to generate hundreds of millions of revenues through the collection of DNA samples and the sale of genetic data, all with the consent of customers who may not have read the fine print.
As it stands, there is no comprehensive federal privacy law in the United States. Other laws, including HIPPA and the Genetic Information Discrimination Act, only prohibit genetic information from certain types of insurers and employers. In addition, the agency that is supposed to enforce confidentiality rules by DNA testing companies, the Federal Trade Commission, has limited authority.
The exposed genetic information carries risks ranging from the mundane to the extreme, experts say. Long-term care, disability and life insurers, for example, can still legally inflate their rates depending on the client’s predisposition to health problems. And if a person takes a DNA test, the information could also be used to profile unsuspecting loved ones.
Some warned of more serious consequences. A DNA data security startup, Geneinfosec, which counts former US Assistant Secretary of Defense Andrew C. Weber among its advisers.complaints that someone’s DNA profile could be used as blackmail, or even to create biological weapons that target specific people. In 2019, Pentagon officials informed military personnel to avoid consumer DNA testing as they could “create unintended security consequences and increased risk to the joint force and mission.”
In 2018, the Future of Privacy non-profit forum released a set voluntary “good privacy practices”, with membership from several leading DNA testing companies, including Ancestry and 23andMe. The guidelines were intended to increase transparency, provide choices for consumers and provide protection. But the landscape for genetic testing has “transformed” since then, said Rachele Hendricks-Sturrup, the forum’s health policy adviser.
“The best practices that are before us here today are great, but as these companies start to engage more in healthcare, should there be any additional consideration? Hendricks-Sturrup asked, adding that some may feel more protective of personal health information than details of their inheritance.
Earlier this year, private equity giant Blackstone acquired Ancestry.com for $ 4.7 billion, sparking speculation about what Blackstone was doing. In a statement to FairWarning, Ancestry was unequivocal: “Blackstone will not have access to data from Ancestry customers, nor any of its portfolio companies. But in the acquisition announcement, Ancestry CEO Margo Georgiadis said the company expected to work with Blackstone to “bring our long-term vision of personalized preventive health to life.” . Blackstone also invested heavily in medical devices for diabetic patients and treatments for high cholesterol and kidney disease.
Best practices prohibit sharing with third parties genetic data that is not “aggregated” or “anonymized”, that is to say data whose names and contact details have been removed and aggregated into health statistics of group. But the same rules wouldn’t apply in the case of acquiring a company holding the data, as with Blackstone and Ancestry, Hendricks-Sturrup said.
“It’s interesting that our best practices aren’t really about business acquisition bodies,” she explained. “But we are saying that consumers should be given choices, they should be given the opportunity or the ability to express their consent.”
Blackstone reiterated to FairWarning that he would not have access to Ancestry’s genetic data, but declined to answer specific questions for this story.
Exposing genetic information does not carry the obvious risks of bad actors getting their hands on credit card or social security numbers, said Lisa Parker, director of the Center for Bioethics and Health Law at the University of Pittsburgh.
However, in the case of the Blackstone acquisition, she added, “there are concerns about the sale of a business and its assets. It is not clear how the buyer will use these assets. “
In 2018, 23andMe entered into an exclusive four-year agreement with drug maker GlaxoSmithKline. The companies said in a joint announcement that 23andMe will follow best practices and only share anonymous and aggregated health statistics. But the arrangement also allows people with specific conditions or mutations who have chosen to be identified and invited to participate in clinical trials.
23andMe sells a health package with his DNA tests featuring “over 150 personalized reports” with information on everything from breast cancer mutation and sickle cell disease to muscle makeup and what he calls “genetic weight”.
Given these offers, consumers may not understand what partnerships like 23andMe and GlaxoSmithKline mean for their personal data, said Peter Pitts, president and co-founder of the New York-based Center for Medicine in the Public Interest. .
These are not medical treatments tailored to a person’s DNA profile, he said. “What we are talking about is the ability of people in pharmaceutical research and development to find it easier for people to participate in clinical trials through a DNA identifier, which saves time and money. and speed up the marketing of drugs. “
According to the volunteer best practices, which came to light just days after the 23andMe-GlaxoSmithKline deal, sharing anonymous group statistics “can provide a strong assurance” of individual privacy. But experts point out that the data could be hacked and participants identified.
“Even though Ancestry has the best security system, the people it does business with can’t,” said Pitts of the Center for Medicine in the Public Interest. “There are plenty of opportunities for people who want to do the wrong things to get their hands on this data. “
“Protecting consumers’ sensitive personal information, such as health or DNA data, is a priority for the Commission,” an FTC spokesperson told FairWarning. When asked for examples of FTC consumer protection enforcement cases involving DNA testing companies, the agency provided only one and cited four other cases involving confidentiality of the data. data unrelated to genetic information.
The 2014 genetics case targeted Genelink Biosciences, which claimed to tailor nutritional supplements and skin care products to the ‘DNA disadvantages’ of customers obtained by cheek swab test kit . In its complaint, the FTC disputed the scientific validity of these products. He also said that the more than 30,000 DNA samples the company had collected since 2008 had been vulnerable to identification theft and other privacy breaches by third-party contractors hired by the company.
But a search of the FTC’s case database using the words “genetics,” “DNA” and “biosciences” revealed only one other case of a DNA test linked to consumer protection.
“The FTC does not have enough authority to adequately regulate these companies,” said Maureen Mahoney, policy analyst for the magazine and advocacy group Consumer Reports. “We need a privacy law that requires privacy by default, limits what businesses can collect in the first place, and requires disclosure.”
State-level privacy laws are springing up to fill the void. In August, California lawmakers passed a bill which enshrines some of the best voluntary practices in law, in particular that genetic data cannot be shared with third parties without the prior written consent of the individual.
“We wanted to make sure these companies don’t decide to change their collection and disclosure practices and that there are repercussions if they do,” said Mahoney, who advised lawmakers on the bill.
23andMe and Ancestry formed the Two-Member Genetic Data Protection Coalition, which consulted with the sponsor of the California privacy bill.
“I think they have indeed argued for privacy and strong security measures,” said Parker of the Center for Bioethics and Health Law. “It is certainly in their best interests to do so.”
But other experts say major consumer DNA testing companies can improve the way they communicate what they will do with DNA samples, especially as they grow in healthcare.
“People need to be made aware that their data can be shared or sold to third parties,” Pitts said. “It should be more than a simple click on ‘I agree’ at the bottom of a long text. It should be written in plain English, on a number of different screens.
Lawrence Brody, senior medical genomics researcher at the National Institutes of Health, said that while many large DNA testing companies are well-meaning, “the industry should do a better job” of educating consumers.
“I don’t know if anyone can bear to read these 15 fine print pages,” he said. “You want to know under what circumstances they might share your information. This is the business model, sharing your information is part of what they do to earn their own return. “
A federal data protection bill sponsored by US Senator Sherrod Brown, D-Ohio, would challenge this business model in fundamental ways: prohibiting companies in different industries from sharing data with people other than their customers ..
For critics like Peter Pitts, such a proposition makes perfect sense.
“I don’t understand why a consumer would pay for the privilege of having a third party sell their personal genetic information for profit,” he said.
FairWarning is a non-profit (501 (c) (3)) investigative news organization that focuses on public health, consumer, workplace and environmental issues, as well as related topics. government and commercial responsibility.