Tuesday, November 3, 2020

Should you be worried about your DNA privacy?

 I've always been wary of at-home DNA tests, and I don't think I'm alone in that. There are a lot of things I regularly do that might compromise my personal information-online shopping, banking, and healthcare communications spring to mind-but sending off a sample of my DNA to some huge corporation? No, thank you.

So when my editor floated the idea of doing a deep-dive into the privacy and security practices of at-home DNA kits, I was first in line to volunteer. I was genuinely curious to find out just how well these companies protect their users' information, and some of the things I found during my research surprised me.

For this article, we’re going to focus on a few key privacy concerns, including:

Data storage

Third-party information access

Biospecimen handling

And law enforcement probes

However, you should always carefully review the terms and conditions of any DNA testing service to ensure you fully understand your rights and how the company plans to protect your privacy.

One of the first issues that comes to my mind with any type of sensitive information is whether it’s susceptible to a data breach. After all, if huge corporations such as Equifax can be compromised by cybercriminals, what’s stopping hackers from going after a DNA testing company?

In fact, it’s happened before. Just last year, DNA-testing firm Veritas Genetics experienced a data breach, according to Bloomberg, and security experts aren’t surprised: “Any data repository with rich personal data in it will be a target for cybercriminals,” explains cybersecurity expert Tony Anscombe, Chief Security Evangelist at internet security company ESET.

“The potential for sensitive information, such as genealogy, to be used by cybercriminals in extortion campaigns is highly probable if the information was to be compromised in a data breach,” Anscombe continues. “While regulation is no guarantee of security, it would seem logical for genetic data to be covered under a regulation such as HIPAA or something similar to ensure that companies provide adequate cybersecurity measures to protect the data.”

HIPAA is the common term used for the Health Insurance Portability and Accountability Act, which sets strict national standards for the protection of sensitive patient health information—chances are you’ve had to sign HIPAA forms at your annual doctor’s appointments. However, these standards have yet to be extended to DNA testing services, despite the fact that genetic information is health information.

So what, exactly, are DNA companies doing to protect your information? We reached out to two of the biggest companies in the at-home DNA testing industry—AncestryDNA and 23andMe—to ask.

“Personal information and genetic information are stored separately in secured, segmented databases,” explained a 23andMe spokesperson. “We employ the highest industry standards for authentication, encryption, and authorization to our systems … We also use the highest industry-standard security measures to encrypt sensitive information both at rest, in transit, and while processing in our databases. Access to sensitive information is limited to authorized personnel, based on job function and administrative need. 23andMe access combines token-based, multi-factor authentication, and strict least-privileged authorization controls.”

To read the rest of the article, hit here