Current Privacy Risks in Genetic Testing

The idea of taking a direct-to-consumer(DTC) genetic test is intriguing. What was once considered an expensive test that could only be performed in a medical environment can now be purchased...
Michael Buckbee
3 min read
Last updated May 17, 2022

The idea of taking a direct-to-consumer(DTC) genetic test is intriguing. What was once considered an expensive test that could only be performed in a medical environment can now be purchased by consumers for as little as $100.00 and administered in the home. Simply spit your saliva into a tube, mail it to the lab, and within 6-8 weeks, your results will be ready to view online! It’s exciting to live in a time where new technologies have such an enormous influence in improving our quality of life.

However, what always meets us at the end of the rainbow are privacy and security concerns. And they were addressed at last week’s FTC privacy conference by two researchers – Andelka M. Phillips from the University of Oxford and Jan Charbonneau a PhD candidate from the Centre for Law & Genetics, Faculty of Law, University of Tasmania, Australia.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Here are three major concerns of the researchers:

  1. Risks With Genetic Data.

Genetic data is the most personal data any individual may have. It’s the ultimate unique identifier—the PII of all living things. At this time, it’s also not possible to fully de-identify this data. “If there’s been a privacy breach, you can’t change it,” warned  Carbonneau. “It’s not like your iTunes password.”

Phillips and Charbonneau said that because genetic data is valuable, in the future “there may be an incentive for hackers to target genetic databases in order to acquire data than can be used in financial or identity fraud. There are a number of other risks associated with the use of genetic data, including: targeted marketing of drugs to individuals and family groups; potential genetic discrimination resulting from sharing genetic information with third parties; and sharing with law enforcement or government agencies without appropriate consent.” 1

After hearing about these risks, my mind wandered to consider something potentially worse – could genetic data be encrypted and held for ransom? Ransomware is gaining notoriety, impacting individuals as well as businesses, with no signs of slowing down.

  1. The Industry Is Developing Rapidly, But The Law Isn’t Keeping Pace.

When genetic testing is performed at a hospital, as a patient, you are protected because hospitals are subject to HIPAA compliance. But once an individual decides to go the DTC genetic testing route, it becomes a very different situation because technically the testing services are not HIPAA “covered entities”— it has the same risks many fitness wearable wearers face. Is the genetic data and other PII collected from that individual stored securely? Are organizations providing sufficient protection for consumers’ privacy?

Although not a covered entity, recently Fitbit was forced to be HIPAA compliant because it fell under the business associate framework—it was processing data for a company that was directly under HIPAA.

It is all for the better. Perhaps other wearable makers will voluntarily follow suit.

The rest of the world seems to have gotten the message. With the GDPR finalized, EU organizations are required to safeguard genetic data. Even if you don’t have a formal presence in the EU zone but collect and store any personal data–including genetic– of EU citizens, you are still subject to the latest GDPR regulations.

So actually the EU’s new law can indirectly force US genetic testers to protect the privacy of genetic data—at least for EU citizens. It would be nice if they did it for everyone.

  1. Consumer Perception of Control, or Lack thereof

Ms. Carbonneau also found that if consumers believe that their genetic data will only be shared after they give permission, they are more likely to purchase DTC genetic tests, participate in research, and share results with family, doctors and online health communities.

“Most of the time companies will change the terms at any time or time to time without direct notice to the consumer,” noted Phillips.  “This is important here because it could have an impact on what companies do with your data. They could change the policies on sharing sale or storage of data. And this can significantly impact consumers.”

Bottom line –  just because consumers perceive they have control doesn’t not mean they have actual control.

The Industry Gets It: Data Security Is Paramount

Despite frequent terms of conditions updates in the privacy policies along with other risks and unknowns, I was relieved there was consensus and awareness at the privacy conference.

There was acknowledgement that monitoring data access rights is something that organizations can implement – only the right people who need access to data, should have access.

It was also voiced that since consumers can’t control all the data, companies should be responsible stewards of the data and should make smart informed decisions about how the information is used.

Here’s to hoping that we can all build on this privacy awareness momentum in 2016!

 

1https://www.ftc.gov/system/files/documents/public_comments/2015/10/00057-98101.pdf

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

pen-testing-active-directory-environments,-part-iii: -chasing-power-users
Pen Testing Active Directory Environments, Part III:  Chasing Power Users
For those joining late, I’m currently pen testing the mythical Acme company, now made famous by a previous pen testing engagement (and immortalized in this free ebook). This time around...
pen-testing-active-directory-environments,-part-i:-introduction-to-crackmapexec-(and-powerview)
Pen Testing Active Directory Environments, Part I: Introduction to crackmapexec (and PowerView)
I was talking to a pen testing company recently at a data security conference to learn more about “day in the life” aspects of their trade. Their president told me...
varonis-ebook:-pen-testing-active-directory-environments
Varonis eBook: Pen Testing Active Directory Environments
You may have been following our series of posts on pen testing Active Directory environments and learned about the awesome powers of PowerView. No doubt you were wowed by our cliffhanger...
krack-attack:-what-you-need-to-know
Krack Attack: What You Need to Know
For the last decade, philosophers have been in agreement that there is another, deeper level within Maslow’s Hierarchy of Human Needs: WiFi Access. We’re now at the point where even...