The Privacy Delusions Of Genetic Testing
BY: Peter Pitts
Mr. Pitts, a former FDA associate commissioner, is president of the Center for Medicine in the Public Interest.
Genetic testing promises a revolution in healthcare. With just a few swabs of saliva, diagnostics can provide an unprecedented look into a person’s family history and potential health risks. Within a decade, global sales of genetic tests are expected to hit $10 billion. Direct-to-consumer companies such as 23andMe and Genos have proven particularly popular, with tens of thousands of people purchasing at-home testing kits every year.
But the industry’s rapid growth rests on a dangerous delusion: that genetic data is kept private. Most people assume this sensitive information simply sits in a secure database, protected from hacks and misuse.
Far from it. Genetic-testing companies cannot guarantee privacy. And many are actively selling user data to outside parties.
The problem starts with the Health Insurance Portability and Accountability Act (HIPAA), a 1996 federal law that allows medical companies to share and sell patient data if it has been “anonymized,” or scrubbed of any obvious identifying characteristics.
In 2013, 23andMe CEO Anne Wojcicki speaks at an announcement for the Breakthrough Prize in Life Sciences on UCSF’s Mission Bay. In 2015 the Google-backed genetic testing company pledged to reintroduce some health-screening tools that regulators had forced off the market, due to concerns about accuracy and interpretation.
The Portability Act was passed when genetic testing was just a distant dream on the horizon of personalized medicine. But today, that loophole has proven to be a cash cow. For instance, 23andMe has sold access to its database to at least 13 outside pharmaceutical firms. One buyer, Genentech, ponied up a cool $10 million for the genetic profiles of people suffering from Parkinson’s. AncestryDNA, another popular personal genetics company, recently announced a lucrative data-sharing partnership with the biotech company Calico.
Customers are wrong to think their information is safely locked away. It’s not; it’s getting sold far and wide. Many testing firms that generally don’t sell patient information, such as Ambry and Invitae, give it away to public databases. Such transfers, as privacy consultant Bob Gellman puts it, leave a “big gap in protections.” Hacks are inevitable. Easily accessible, public genetic depositories are obvious targets.
If genetic data does fall into the hands of nefarious actors, it’s relatively easy for them to de-anonymize it. New lab techniques can unearth genetic markers tied to specific, physical traits, such as eye or hair color. Sleuths can then cross-reference those traits against publicly available demographic data to identify the donors.
Using this process, one MIT scientist was able to identify the people behind five supposedly anonymous genetic samples randomly selected from a public research database. It took him less than a day. Likewise, a Harvard Medical School professor dug up the identities of over 80% of the samples housed in his school’s genetic database. Privacy protections can be broken. Indeed, no less than Linda Avey, a cofounder of 23andMe, has explicitly admitted that “it’s a fallacy to think that genomic data can be fully anonymized.”
Once genetic data has been linked to a specific person, the potential for abuse is vast and frightening. Imagine a political campaign exposing a rival’s elevated risk of Alzheimer’s. Or an employer refusing to hire someone because autism runs in her family. Imagine a world where people can have their biology held against them. Such abuses represent a profound violation of privacy. That’s the risk inherent in current genetic-testing practices.
For their part, direct-to-consumer testing companies have been less than forthright about these dangers, usually burying privacy disclaimers deep in their contracts and refusing to disclose how long they keep customer data or how it can be used.
23andMe customers have to wade through pages of fine print before finding out that their information may be “shared with research partners, including commercial partners.” AncestryDNA’s contract claims a “perpetual, royalty-free, worldwide, transferable license to use your DNA.” New research published in the journal Nature found that genetic-testing companies frequently fail to meet even basic international transparency standards.
Genetic testing has tremendous benefits. We are provided a closer look at our own biology. Medical researchers develop a deeper understanding of the origins of disease and can create powerful new treatments. But today, far too many donors are operating under a false sense of security, handling profoundly intimate data without appropriate protections.