Last Updated on October 18, 2024
The ever-popular genetic and ancestry-tracing company 23andMe has come under intense scrutiny after several data breaches, including one in late 2023 and a resultant full board resignation.
At the helm, CEO Anne Wojcicki previously announced a takeover of the company, raising concerns from customers regarding their personal data, reported CBS News.
23andMe acknowledged the faux pas and issued a statement to CBS MoneyWatch:
Anne [Wojcicki] also expressed her strong commitment to customer privacy, and pledged to maintain our current privacy policy, including following the intended completion of the acquisition she is pursuing.
Earlier this October, Eva Galperin, director of cybersecurity at Electronic Frontier Foundation (EFF), told her following on X it may be a good time to delete any data with 23andMe.
If you have a 23andme account, today is a good day to login and request the deletion of your data: https://t.co/ceLna3uy3c
— Eva (@evacide) October 3, 2024
Other cybersecurity experts weighed in, oddly downplaying the concerns.
Anya Prince, a genetic privacy expert at the Univerisity of Iowa, insisted “… the data is no more vulnerable today than it was for however 23andMe has been going on.”
23andMe allows customers to share de-identified genetic information with third parties, including for the purposes of advancing medical research, read the report.
According to 23andMe, approximately 80% of its customers participate in its research program, which has led to over 270 peer-reviewed publications.
The question surrounding possible cyberattacks on such data is, what can one do with such genetic information? CBS News noted that a drugmaker could essentially tailor its ad campaigns using such data, something not farfetched from “Big Pharma.”
“It might be innocuous, as in you’d be marketed products for diabetes if you have a predisposition,” said Prince, downplaying the issue to CBS News. “It could be annoying but not harmful.”
Another concern is whether health insurers could utilize such data to deny individual coverage or raise premiums. The 2008 Genetic Information Nondiscrimination Act (GINA) prohibits such an ability. States also have their own statutes protecting genetic information or discrimination from it. However, protections for long-term care and disability are less available, said Prince.
In the vast majority of states, these types of insurance are allowed to take into account one’s genetic information.
Only Florida has laws banning all three insurance types from utilizing genetic information for decision-making.
Jason Kelley, the activism director at EFF, offered a different perspective from Prince. He believes the seizure of genetic data could do much more damage.
The concern is not about what people could find out today, but in the future. Having access to this kind of information could give someone an enormous amount of intelligence about groups of people and potentially individuals. And there’s a sort of dystopian nightmare scenario where that kind of data can be tied back to individuals, or leaked to the internet.
As of now, 23andMe users can delete their information under the company’s privacy policy. Users who have shared their de-identified data for research can reverse the original consent but cannot retract the already shared data.
After revamping its website, the company plans to streamline and automate its data protection. Still, Kelley warns that “people have not known what information they were giving away and how it was used and [now] people [are] becoming more aware of how their information can be used or it can be dangerous if there is a data breach.”
Kelly makes a justifiable case, as the US Department of Health and Human Services Office for Civil Rights reported hundreds of thousands of medical data breaches just last year. The 851-page report includes all medical data leaks.
RELATED: BMJ: Pfizer-Made Depo-Provera Tied to Elevated Risk of Certain Brain Cancers
Many such cases are handled in small claims court with a minor payout to the victim. Besides that, there is no true justice or remedy for the violation of stolen data.