Is Your DNA Safe? Genetic Testing Risks and How to Protect Your Data

23andMe, a genetic testing company, suffered a data breach that lasted from April to September 2023, during which hackers targeted customer accounts. The breach was only discovered in October when hackers advertised stolen data on online forums including the unofficial 23andMe subreddit, the cybercrime forum Hydra, and the hacking forum BreachForums. Approximately 6.9 million users' ancestry and genetic data were compromised, affecting about half of the company's customer base. The breach occurred due to hackers brute-forcing accounts with passwords already exposed in other breaches. The stolen data included names, birth years, relationship labels, DNA shared with relatives, ancestry reports, and self-reported locations. Following the breach, customers filed class-action lawsuits against 23andMe, accusing the company of negligence in protecting their data. 23andMe attempted to deflect blame onto users for reusing passwords and changed its terms of service to make it harder for victims to pursue legal action. This incident highlights the importance of strong security measures and transparency in handling sensitive personal data.

Related topic: Lessons from the 23andMe Data Breach: Data Privacy in an Interconnected World

Genetic testing has revolutionized healthcare, offering insights into individuals' predispositions to diseases, ancestry, and even responses to medications. However, this wealth of information comes with inherent privacy risks. Key concerns include:

• Informed Consent: The cornerstone of ethical genetic testing lies in obtaining informed consent. Individuals must understand the implications of sharing their genetic data, including potential risks such as discrimination or breaches of privacy. Without adequate understanding, they might consent to the testing without realizing the potential consequences, such as how the data could be used by insurance companies to deny coverage or by employers for discriminatory hiring practices.
• Safeguarding Genetic Privacy: Genetic information is uniquely personal and immutable. Thus, strict measures are necessary to safeguard it from unauthorized access, misuse, or unintended disclosure. The significance of this issue was underscored by the data breach at 23andMe, where thousands of individuals' genetic data were exposed, highlighting the severe repercussions. 
• Mitigating Misuse and Discrimination: Genetic data misuse can lead to various forms of discrimination, including denial of employment or insurance. Effective regulatory frameworks must address these risks comprehensively.

Related topic: How to: Comply with the right of access under the GDPR

In parallel with genetic testing, biometric authentication has emerged as a convenient and secure means of accessing sensitive data. Whether through fingerprint scans or facial recognition, biometrics offer unparalleled convenience, but their widespread adoption raises pertinent privacy considerations.

• Data Security: Biometric data, once compromised, cannot be changed like passwords. Therefore, stringent security measures are imperative to prevent unauthorized access and potential misuse.
• User Consent and Transparency: Users should have clear visibility into how their biometric data is collected, stored, and utilized. Transparent policies and robust consent mechanisms are essential to foster trust and accountability.

Related topic: Passkeys and Data Privacy: A Secure Path to a Passwordless Future

To navigate the complex terrain of genetic testing and biometrics while upholding data privacy, stakeholders must adhere to best practices:

1. Educating Users: Empower individuals with comprehensive information about the implications of genetic testing and biometric authentication, enabling them to make informed decisions.
2. Implementing Strong Security Measures: Employ encryption, access controls, and multi-factor authentication to fortify the security of genetic and biometric data repositories.
3. GDPR Compliance: Compliance with data protection regulations, such as the GDPR is paramount, especially in the EU. Organizations collecting biometric data must adhere to strict storage, processing, and sharing guidelines.
4. Regular Auditing and Monitoring: Conduct regular audits and monitoring to detect and address potential privacy breaches proactively.
5. Adhering to Regulatory Standards: Comply with relevant data protection regulations, ensuring that privacy safeguards are integrated into every data processing stage.
6. Ethical Considerations: Prioritize ethical principles such as autonomy, beneficence, and justice when collecting, storing, and using genetic and biometric data.

“At heyData, we understand the importance of GDPR compliance and offer comprehensive services to help businesses protect their data effectively. With our expertise in digital data protection audits and our experienced team of data protection officers, you can easily identify potential data protection gaps and learn how to best safeguard your company's data.” 

Martin Bastius 
Co-Founder & CLO, heyData

As genetic testing and biometric authentication continue to advance, safeguarding individuals' sensitive health information remains paramount. By prioritizing informed consent, robust security measures, and adherence to regulatory standards, stakeholders can navigate the evolving data privacy landscape with diligence and integrity. Companies can leverage platforms like heyData to streamline processes and safeguard sensitive information effectively.

heyData offers comprehensive solutions designed to assist organizations in managing their data privacy obligations under GDPR, particularly in the context of medical practices where the handling of sensitive health data is prevalent.