Is your DNA info safe from data breaches, and what are the privacy concerns?

Data breaches seem to have become common occurrences. Personal information has been exposed at healthcare providers, government agencies, and businesses. Exposed consumer data includes credit card and bank account information, passwords, and Social Security numbers.

But what if cybercriminals accessed the databases maintained by DNA testing companies such as 23andMe, AncestryHealth and MyHeritage? Could they profit off your DNA information? And is that information secure?

The unsettling truth is that companies that provide personal DNA testing are as vulnerable to data breaches as any other company. And your DNA information might make for a tempting target for hackers who could sell this information on the dark web. Another possibility? The information could be exposed on the dark web, where it could be visible to insurance providers or law enforcement agencies.

Millions of people are testing their DNA

While data breaches targeting DNA testing companies have been relatively uncommon so far, that might not be the case for long. Why? A growing number of consumers are signing up for DNA testing kits. And as more people pay for these tests, the DNA information that the testing companies collect might prove tempting for cybercriminals.

Just look at the results of a study by the Massachusetts Institute of Technology: The institute found that by the start of 2019, more than 26 million customers had added their DNA information to the databases maintained by the industry's four leading DNA testing companies.

To put the growing popularity of these companies in perspective, MIT reported that as many people purchased personal DNA testing kits in 2018 as they had in all previous years combined.

Why would hackers want your DNA information?

If a data breach did expose your DNA data, what could someone do with it?

That’s up for debate. Your full genetic information might not be of much use to anyone. The bigger concern, though, focuses on the summary pages compiled by DNA testing kits. As a 2018 story from The Verge says, these pages contain easy-to-understand interpretations of the health information revealed by the DNA tests and could contain details of current and possible future health challenges of those consumers.

This information could be valuable to insurance companies, which could use it to help determine which customers are more likely to file expensive claims. Armed with this information, insurance companies could opt to deny coverage to consumers they deem most at risk of contracting cancer or who could be vulnerable to a heart attack. They might use the information to boost the policy premiums of customers they worry will suffer from high blood pressure or diabetes based on their DNA information.

Employers might also be interested in this information. What if your DNA kit says you are at a greater risk of contracting Alzheimer’s? If a potential employer was able to obtain this information, would that employer be as willing to hire you?

DNA data breaches? Loss of privacy might be a bigger concern

Some of these worries might seem unlikely. An insurance company that secretly purchased your DNA information and then used that to charge you more? That could result in plenty of bad press and lawsuits for that insurer.

But there is a bigger concern with DNA testing: Do you know how private your genetic information will remain after you send that swab of saliva to a testing company? Do you really know what the testing companies will do with the genetic information they compile on you and how it will be secured?

If you’re like most customers of these companies, you probably don’t. The truth is, though, that unless you do your research, you might submit your DNA information to a company that could sell that information to private companies or share it with law enforcement.

This might not be that worrying as long as no one can trace a particular DNA sample back to you. But there are still enough privacy concerns to attract the interest of the Federal Trade Commission.

Why the FTC warned consumers about DNA testing

The FTC has already posted a warning to consumers on its website about the possibility that their genetic information might be shared with research organizations, law enforcement officials, or other private companies when they work with private DNA testing companies.

The FTC recommended that consumers study the privacy policies of any DNA testing company they choose. Some companies make privacy a bigger issue than others. As the Commission warns, don’t sign up for a company based on price alone.

The Commission recommends, too, that consumers, if given a choice, tweak the privacy settings of their genetic information. Some testing companies might provide a default privacy setting. The FTC advises consumers to carefully review the privacy options for their account and opt for greater privacy measures.

How to help protect yourself and your DNA data

Keeping your genetic data private comes down to research. As a recent story by Consumer Reports said, HIPAA privacy laws that protect patients don't regulate companies that perform direct-to-consumer genetic testing. Because of this, consumer DNA testing services — unless their terms of service specifically state they'll keep your DNA information private — do have the right to sell your genetic data or share it with others.

The Genetic Information Nondiscrimination Act prohibits employers and health insurance companies from discriminating against you based on your genes. The problem? The Act does not govern other insurers, including those providing disability, long-term care, or life insurance.

You can help protect your privacy, then, by carefully reading the privacy policies put in place by genetic testing companies. These policies will tell you if companies do share or sell your data and whether they do it on an individual level — selling DNA data from individual users — or on an aggregate basis, in which the data sold or shared is from an entire group of people, with no data linking directly to one specific individual.

As far as helping to protect your DNA information in the event of a data breach? There’s not much you can do about that. Unfortunately, no company is immune from hackers, even those that take rigorous steps to protect their information. If you do decide to work with a genetics mapping company, learn as much as you can beforehand about the policies the company has in place with regards to the collection and storage of your data so you can be well-informed before submitting your sample.