Latest news with #SuzanneBernstein
Yahoo
01-05-2025
- Business
- Yahoo
Tech Talk: What happens to your data when 23andMe sells it to the highest bidder?
This story was originally posted on 23andMe helped 15 million users around the world answer the question we all share: Where did I come from? Since its launch in 2006, the biotechnology company has not only answered questions about family trees, but also about genetic probabilities, such as whether you think cilantro tastes like soap or if you have a genetic marker associated with late-onset Alzheimer's disease or diabetes. However, in March, after settling a $30 million lawsuit over a data breach, 23andMe declared bankruptcy and announced they are selling the company, including the massive amounts of data it has collected from willing customers who ordered a 23andMe tube, spit saliva into it, and sent it back over the last 20 years. The result has spurred a nationwide data privacy debate, which includes an upcoming May 6 Congressional hearing focused on the security and ethical concerns regarding the collection, use, and sale of personal data, especially genetic data. Suzanne Bernstein, an attorney with the Electronic Privacy Information Center, said the dissemination of 23andMe data is not only legal, but there is no comprehensive federal data privacy law in place to stop the sale of genetic data by a private company, including the Health Insurance Portability and Accountability Act—better known as 'HIPAA.' 'The HIPAA scope is very narrow; it only applies where a patient is sharing medical records with a doctor or insurance company,' Bernstein said. 'On the federal level, there aren't many protections for consumers for their highly sensitive genetic data that 23andMe has.' On Tuesday, 23andMe reached an agreement to appoint a court-appointed overseer to safeguard customers' genetic data during the company's bankruptcy proceedings, resolving a dispute with multiple U.S. states. Those 25 states argued the biotech company was not taking data security seriously after 23andMe proposed hiring a 'customer data representative' who would have a more limited focus on ensuring a future sale of the company complied with its current privacy policies. According to an attorney for the company, it is still negotiating with potential buyers. After resigning as CEO of 23andMe, founder Anne Wojcicki said she is interested in buying the company back. One reason for doing so is the value of 23andMe's data. 'That data for 23andMe is its largest asset,' Bernstein added. However, she warned there are no safeguards in place to ensure what any potential buyer would do once it owned the data. Those potential buyers could include data brokers who could sell data to advertisers, drug companies, healthcare providers, or insurance companies. 'It's unclear who will buy that and what those uses of that data could be,' Bernstein said. 23andMe was created to influence how modern healthcare works by creating a genetic database large enough to discover common genetic variants linked to more than 240 'health conditions and traits,' including diseases and cancers. In 2013, the U.S. Food and Drug Administration (FDA) told 23andMe to stop marketing its health-related genetic tests in the U.S. because the company did not complete the agency's regulatory review process. By 2018, the FDA had started allowing 23andMe to market the country's first-ever direct-to-consumer (DTC) tests, like their Personal Genome Service Genetic Health Risk (GHR) that tests for 10 diseases or conditions. However, it's not the ability for people to use genetic testing to identify potential future health issues that has University of Washington (UW) Bioethics Professor Sue Trinidad. 'A concern I have about broad consent regimes where you say, 'OK, you can have my stuff and do whatever you want with it,'' Trinidad said. 'A broad consensus by definition means you don't know who those future users are, so you're being asked to place your trust in some person or entity that you know nothing about.' Unlike private companies, like 23andMe, medical researchers are required to undergo ethics reviews to ensure that the burden and risks a person may incur while participating in research are justified. That is not a requirement for companies like 23andMe. 'On the research side, we are required to disclose risks that we think might happen or could happen and disclose the steps that we are taking to protect against that,' Trinidad said. Attorneys General across the country recommended that customers who don't want their 23andMe data passed on to another company to deactivate their account as soon as possible. In a release on their website, the Washington State Attorney General's Office also reminded Washingtonians of their right to genetic data privacy and ability to request data deletion. Washington's My Health My Data Act safeguards residents' sensitive health information, including genetic data, from being collected, shared, or sold without their consent or authorization. The state law grants consumers the right to withdraw consent, request data deletion, and verify whether their data has been shared or sold. Additionally, consumers can obtain a list of all third parties who have received their data. You can find the step-by-step process to deactivate your 23andMe account here. If you choose not to deactivate your account, Bernstein warned that another concern to consider is how your data could be stored or used, not just in the following months and years, but for generations if that data is not destroyed. 'It's also a basic concern about how sensitive health information is being used for purposes that you really couldn't consider or think about when you first signed up, just to understand where your family might have come from,' Bernstein said.
Yahoo
26-03-2025
- Yahoo
Why I'm Not Deleting My 23andMe Genetic Data
Various corners of the media and internet are hyperventilating over the alleged genetic privacy implications of the imminent Chapter 11 bankruptcy of the direct-to-consumer genetic testing company 23andMe. "Delete your DNA from 23andMe right now," yelps a headline over at The Washington Post. Why? "Unless you take action, there is a risk your genetic information could end up in someone else's hands—and used in ways you had never considered," ominously warns Post journalist Geoffrey Fowler. NPR reports that Suzanne Bernstein, counsel at the nonprofit Electronic Privacy Information Center, advises that any concerned 23andMe customers should delete their data, request that their saliva sample be destroyed, and revoke any permissions they may have given to use their genetic information for research. "This is just the first example of a company like this with tremendous amounts of sensitive data being bought or sold," she added. California Attorney General Rob Bonta urgently issued a consumer alert reminding "Californians of their right to direct the deletion of their genetic data under the Genetic Information Privacy Act (GIPA) and California Consumer Privacy Act (CCPA)." Calm down people. Genetic data are not especially toxic or extraordinarily dangerous. Nor are the privacy implications all that dire, especially compared to other widely available and easily deployed surveillance tools. It is true that your genome is a permanent and immutable marker of your personal identity, but so too are your fingerprints and your face. The FBI's Next Generation Identification system contains the fingerprints of more than 186 million criminal, civil, and military individuals. (As a twenty-something, I worked briefly as a federal bureaucrat so my fingerprints are definitely in the system.) While fingerprints have to be collected onsite and compared using offsite databases, facial recognition cameras with real-time database matching can become ubiquitous, able to track you nearly everywhere you go in public. Your face may be your passport but it's also your snitch. Another often-expressed concern is that your genetic data could be used to identify relatives who have committed crimes. Police are now regularly using forensic genetic genealogy to identify suspects. They compare a DNA sample from a crime scene with commercial DNA databases, searching for genetic similarities among customers who may be relatives. Genealogists then identify likely suspects by cross-referencing the genetic data with traditional genealogical sources, such as census records, birth and death certificates, and so forth. It is worth noting that 23andMe requires a warrant to release customer data to the police, unlike some other direct-to-consumer genetic testing companies. In addition, the FBI's National DNA Index contains over 18,135,382 offender profiles, 5,774,055 arrestee profiles, and 1,391,726 forensic profiles as of January 2025. Data deletion alarmists point out that 23andMe suffered a data breach in 2023 in which the records of nearly 7 million of its customers were stolen by a hacker. Sounds bad, but do you know who else suffered recent data breaches? Hospital and medical records companies: some 2.7 million patient records held by ESO Solutions; 9 million held by medical transcription firm Perry Johnson & Associates; 8.5 million at Welltok; and 11 million at HCA Healthcare. All of these were just in 2023. Overall, healthcare breaches exposed 385 million patient records between 2010 to 2022. Hackers typically demand a ransom to unencrypt pilfered files, but also often engage in double extortion by also threatening to publicly release them. Medical records companies pay because they fear that data exposure can lead to legal consequences, regulatory fines, and reputational damage. Much less commonly, hackers try to blackmail individual patients. A couple of such instances involved attempts to blackmail patients at a Finnish mental health clinic and a Florida plastic surgery practice. Compare the consequences of these non-genetic database breaches to how information from the 23andMe data breach could supposedly be misused. One suggestion is that your genetic data might be used to blackmail you. If you've committed an unsolved murder or a rape or have produced stray progeny, you might worry about the prospect of blackmail. Data such as names, addresses, and birth dates stored by 23andMe might be used to impersonate you, but that is not a risk particular to the genetic information collected by 23andMe. More far-fetched is the notion that your genetic data might somehow contribute to the creation of a bioweapon. But what about genetic discrimination? The Genetic Information Nondiscrimination Act of 2008 (GINA) forbids employers and health insurers from requiring genetic data from you or using it to discriminate against you. For example, health insurers may not use genetic information to determine if someone is eligible for insurance or to make coverage, underwriting, or premium-setting decisions. However, GINA does not cover life, disability, or long-term care insurance. So far, Florida is the only state that forbids life and long-term insurance providers to cancel, limit, or deny coverage or establish differentials in insurance rates based on genetic information. In any case, no life insurance companies so far require any genetic testing or access to direct-to-consumer genetic data when issuing policies. They can, however, consider any genetic data that is included as a matter of course in a person's medical records, which somewhat paradoxically can lead to insights about a patient's genetics. Let me use myself as an example. A few years back I was seeking to purchase some additional life insurance, which involved disclosing my medical records, a physical exam, and some blood tests. Based on a specific blood test revealing slightly elevated NT-ProBNP levels, the company doubled its offered premium. I turned down the insurance, but I was intrigued by the data suggesting possible heart failure. To make a long story short, MRIs found that I did have a touch of hypertrophic cardiomyopathy (HCM) that has very slightly thickened the walls of my left ventricle. Initial genetic testing by Invitae reported an inconclusive test result showing a change in the TNNC1 gene that may or may not cause or contribute to HCM. Subsequent evaluation eventually concluded that the variant does contribute to HCM. Hopefully, the information about my TNNC1 variant will be of use to others in the future. The good news is that the interaction of that genetic variant with my environment has resulted in a very mild version of the malady, such that my cardiologist assures me my HCM genetics is not what is going to kill me. More cases of non-genetic medical tests uncovering genetic contributions to ailments are already on the way. For example, recent very accurate blood tests can diagnose the development of Alzheimer's disease years in advance. Whereas tests for gene variants associated with late-onset Alzheimer's identify increased risk of the malady. For what it's worth, my 23andMe test results tell me that I do not carry the Alzheimer's high-risk APOE4 variant. So far as I can tell, no life or long-term care insurance companies are requiring such blood tests yet, but given my NT-ProBNP experience, they will likely include them soon. And insurers doubtlessly will now take Alzheimer's blood test results into account if they turn up in your medical records. Let's consider privacy with respect to medical versus genetic data. All of us experience some self-consciousness about the infirmities and illnesses that inevitably afflict us. That self-consciousness stems partially from the fact that none of us wants to be regarded by others as weak and incompetent, unable to pull our own weight. Our medical records document the toll that time takes on our bodies. So privacy protections (the damnable Health Insurance Portability and Accountability Act—a topic for another time) are supposed to provide us with some measure of control over what we reveal to others as we curate our public images as independent and capable agents. But how self-conscious should a person be about their genetic information? I interviewed Michael Cariaso, developer of the online genetic analysis tool Promethease, for my 2011 article on the early days of direct-to-consumer genetic testing. Asked why he had not publicly posted his genetic testing results, he responded, "someone later might discover that I have genes for a short penis and low intelligence." Undeterred by similar concerns, I posted online my 23andMe genetic screening results at SNPedia, where I invite anyone to review my numerous genetic flaws. My 23andMe health predisposition reports suggest that I have gene variants that put me at higher risk for coronary artery disease, gallstones, non-alcoholic fatty liver disease, atrial fibrillation, and severe acne. I list those specifically because I have recently had medical tests that show no coronary artery blockages, no gallstones, a normal liver, and a regularly beating heart. I confess that I had a morbidly bad case of acne back in high school. With respect to the other high-risk variants identified by my genetic screening tests, none have resulted in any noticeable illnesses as yet. Other genes (certainly not my clean living) not sequenced or identified yet by 23andMe are likely counteracting the deleterious effects of the higher-risk variants. Clearly, I think that the deletists' claim that the genetic information held by 23andMe is especially "sensitive" is wrong. I invite my fellow 23andMe customers to consider why nearly 80 percent of you agreed to participate in 23andMe research efforts. Besides hoping to gain some insights about yourself, you also want to help advance medical science. The company may or may not survive, but its stored genetic data remains a scientifically and medically valuable resource that some other research firm or institution may use to help develop new treatments and cures. Keep that in mind and resist being panicked into deleting your data for some speculative gain in privacy. The post Why I'm Not Deleting My 23andMe Genetic Data appeared first on
