Congress is a decade behind in overseeing DNA testing companies
WASHINGTON – Wall Street has plowed billions of dollars into DNA testing companies, one of the world’s fastest-growing consumer services. By contrast, lawmakers in Washington have invested little oversight in to this brave new marketplace, leaving it to U.S. consumers to navigate it alone.
Despite consumer unease about their DNA privacy, Congress has made no moves up to update the 2008 Genetic Information Nondiscrimination Act (GINA), the lone law in this field. The law prevents employers and companies from using DNA data to deny employment or health insurance coverage, but it contains numerous loopholes. It also couldn’t begin to anticipate the privacy risks as corporations quietly assemble DNA databases containing millions of personal records.
“People are concerned that their Social Security number could be stolen and made public,” said Peter Pitts, a former associate commissioner for the Food and Drug Administration. “But when they do these (DNA) tests, many have little awareness their genetic identity could be compromised in the same manner. We are talking about your most sensitive, personal information.”
Concern over access to people’s DNA data has increased with Sacramento investigators’ use of genetic data to arrest a suspect, Joseph James Deangelo, in the Golden State Killer case.
To make a match with Deangelo, investigators analyzed DNA obtained from a crime scene, and fed those results into a free, open-access database called Gedmatch, A technologist at the Molecular Genetic Department at Nicklaus Children’s Hospital tests the concentration of DNA.
based in Florida. After recognizing a link to one of Deangelo’s relatives, investigators used that and other evidence – including direct testing of Deangelo’s DNA – to tie him to the murders.
Joel Winston, a privacy lawyer based in Pittsburgh, said consumers take significant risks entering their genetic data into open-access databases, such as Gedmatch. But there are also risks in using commercial testing services, such as 23andme and Ancestry, he said.
“A lot of people will say, don’t worry, we have GINA, but there are so many holes to it,” Winston said. The 2008 law, he notes, exempts life insurance and disability insurance companies, effectively allowing them to discriminate on the basis of genetic defects found through DNA tests.
“If you get one of these tests, and the tests tell you you have a propensity to one of these cancers, you basically become uninsurable,” Winston said. “They will ask you about it on your policy, and if you lie about it, they will take away your policy when you really need it.”
Hospitals that conduct genetic scans are obligated to keep those
results private under a landmark 1996 law, the Health Insurance Portability and Accountability Act, which protects a vast range of personal medical information. But HIPAA doesn’t apply to private companies that do at-home paternity tests, or to commercial outfits such as 23andme, Ancestry and Helix, which are rapidly drawing millions of customers.
All these commercial companies issue privacy statements that promise to protect customers’ personal data. But all those statements come with provisos that data could potentially be compromised by a cyber attack, security breach or compliance with a court order from investigators.
As the Golden State Killer case revealed, criminal investigators do not need to obtain a warrant or subpoena to access a DNA database.
Both Ancestry and 23andme require customers to send in tubes of saliva, and do not allow submission of genetic profiles created by separate services. For investigators to create a fake account and then obtain DNA results, they’d need to find enough saliva from a crime scene or suspect to partially fill one of the tubes.
Scott Hadly, a spokesman for 23andme, said the company has seen no cases where law enforcement or others have attempted to create fake accounts to get DNA analyzed. He also reiterated the company’s approach on dealing with requests from investigators.
“23andme’s policies prohibit the company from voluntarily working with law enforcement,” said Hadley. “23andme has never given customer information to law enforcement officials, and we do not share information with employers or insurance companies.”
While that may be true, commercial DNA companies do share customer’s genetic data – mostly with research partners and largely in aggregated, anonymous formats. As these partnerships proliferate, so does the chance that someone’s DNA identity could be hacked or otherwise compromised, said Pitts, the former FDA regulator.
“Once they share people’s genetic information with partner companies, they can’t be responsible for security protocols of those partners,” said Pitts, who now heads the Center for Medicine in the Public Interest.
Currently there are no federal requirements that DNA testing companies inform customers about a security breach that could expose their personal data. But social media companies could soon face that mandate. During a recent Senate hearing, Sen. Amy Klobuchar of Minnesota asked Facebook CEO Mark Zuckerberg if he’d support regulations to notify users of a data breach within 72 hours. Zuckerberg said he wouldn’t be opposed.