Federal class action lawsuit looms as genetics company searches for what went wrong; a reminder to clinical laboratories of the importance of protecting patient information
Several years ago, security experts warned that biotechnology and genomics company 23andMe, along with other similar genetics companies, would be attacked by hackers. Now those predictions appear to have come true, and it should be a cautionary tale for clinical laboratories. In an October 6 blog post, the genetic testing company confirmed that private information from thousands of its customers was exposed and may be being sold on the dark web.
According to Wired, “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online forum where users can discuss internet hacking, cyberattacks, and database leaks, among other topics.
“Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” Wired reported, adding that “hundreds of thousands of users of Chinese descent” also appear to be impacted.
The leaked information included full names, dates of birth, sex, locations, photos, and both genetic and ancestry results, Bleeping Computer reported.
For its part, 23andMe acknowledges the data theft but claims “it does not see evidence that its systems have been breached,” according to Wired.
Anne Wojcicki (above) is the co-founder and CEO of genetics company 23andMe, which on October 24 told its customers in an email, “There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.” Clinical laboratories must work to ensure their patient data is fully secured from similar cyber theft. (Photo copyright: TechCrunch.)
23andMe Claims Data Leak Not a Security Incident
The data leaked has been confirmed by 23andMe to be legitimate. “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” a 23andMe spokesperson told Bleeping Computer.
However, according to the company, the leak does not appear to be a data security incident within the 23andMe systems. “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.
What the genetics company has determined is that compromised accounts were from users choosing the DNA Relative feature on their website as a means to find and connect to individuals related to them. Additionally, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials,” Bleeping Computer noted.
Price of Private Information
Following the 23andMe data leak, the private genetic information was quickly available online … for a price.
“On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased,” Bleeping Computer reported.
Stolen medical records are becoming hotter than credit card information, the experts say. “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, Bleeping Computer noted.
In its 2018 Global Security Report, “cybersecurity firm Trustwave pegged the black-market value of medical records at $250 each. Credit card numbers, on the other hand, sell for around $5 each on the dark web … while Social Security numbers can be purchased for as little as $1 each,” Fierce Healthcare reported.
Clinical laboratory managers and pathologists should take note of the value that the dark web places on the medical records of a patient, compared to the credit card numbers of the same individual. From this perspective, hacking a medical laboratory to steal patient health data can be much more lucrative than hacking the credit card data from a retailer.
“Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe,” according to court documents.
“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment,” Bloomberg Law noted. Additionally, the claim states that 23andMe “failed to provide prompt and adequate notice of the incident.”
Plaintiffs are “seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Bloomberg Law reported.
Preventing Future Data Leaks
Years of experts warning genetics companies like 23andMe that they need more strict data security have proven to be true. “This incident really highlights the risks associated with DNA databases,” Brett Callow, a threat analyst at data security firm Emsisoft, told Wired. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”
“Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping,” Wired noted.
Clinical laboratory databases are full of protected health information (PHI). Wise lab managers will work to ensure that their medical lab’s patient data is secure from today’s cyberthreats.
Separate research projects at University of Washington and in the United Kingdom are producing handheld diagnostic devices to accurately detect Malaria
Two new handheld, point-of-care test (POC) devices for malaria could save millions of lives in third-world countries. At the same time, these POC devices may lead to inexpensive alternatives for diagnosing common diseases in developed nations as well.
Clinical laboratory test developers see a big opportunity in developing assays to detect Malaria. That is because an estimated 200 million cases of malaria are diagnosed annually, resulting in the death of about 100 million people each year.
Recently, two organizations released news about the specific testing devices they have developed to detect malaria. One group is at the University of Washington in Seattle, Washington. The other group is NanoMal, a biotechnology company located in the United Kingdom. (more…)
Multi-billion-dollar mega-deal positions Thermo Fisher to offer a broader spectrum of gene sequencing systems to clinical laboratories and pathology groups
Earlier this week, Thermo Fisher Scientific, Inc., (NYSE: TMO) of Waltham, Massachusetts, announced a deal that will shake up the market for next-generation gene sequencing and genetic testing. It will acquire Life Technologies Corporation (NASDAQ: LIFE) of Carlsbad, California.
More IVD Industry Consolidation That Affects Clinical Laboratories
It is another example of consolidation involving two companies that sell products to the clinical laboratory and anatomic pathology sectors of the lab medicine marketplace. It is also a multi-billion dollar transaction. Thermo Fisher will pay $13.6 billion for Life Technologies, or $76 per share, according to a Reutersreport. This amount represents an 11.7% premium over the $68 price per share of Life Technologies’ stock when trading began Monday morning. (more…)
Both pathology profession and biotech industry have much at stake in how Supreme Court rules in this important case involving the patentability of genes
Legal challenges to gene patents are a high interest topic among pathologists and clinical laboratory scientists who perform genetic testing. Two high profile cases involving gene patents were accepted by the Supreme Court. A ruling was made in one case and the second case is continuing.
The Supreme Court issued a ruling in one case, titled Mayo Collaborative Services v. Prometheus Laboratories, Inc. (Prometheus). The dispute centered upon Prometheus’ method patents to testing for metabolites of the drug thiopurine in patients with gastrointestinal disease.
In a unanimous opinion, the Supreme Court ruled that these patents were invalid. Some medical laboratory scientists believe that the ruling could ultimately result in the invalidation of the even more significant gene patents, including those gene patents at issue in Association for Molecular Pathology, et al. v. Myriad Genetics (Myriad)..
New Ruling Has Huge Significance for Pathology and Lab Medicine
According to a story in CAP Today, in the Prometheus case, the court reasoned that a process of recognizing and reciting a law of nature is not patentable because laws of nature are not patentable.
This summer, the Supreme Court will hear oral arguments in the case of Association of Molecular Pathology vs. Myriad Genetics. At issue is the patentability of genes. In March, the Supreme Court ruled unanimously against Prometheus in another case involving gene patents. (Image by PSmag.com)
“We have the first clear statement by the Supreme Court—and by a unanimous Supreme Court—that laboratory testing really amounts to nothing more than an observation about the correlation between an analyte and a particular medical condition is not patentable,” stated Jack Bierig, JD, Partner with Sidley Austin in Chicago, in the CAP Today article.
Bierig observed that the key question presented by Prometheus is where to draw the line between a law of nature and an application of the law. “There is a well-known distinction between laws of nature—which are not patentable; and applications of laws of nature—which are patentable,” he stated. “This is the first Supreme Court case that has addressed that question in the context of laboratory testing.”
Prometheus Decision May Render Myriad Gene Patent Claims Invalid
Important questions still remain about the patentability of genes. Just six days following the March 20, 2012, ruling in Prometheus, the Court remanded Myriad to the CAFC for reconsideration under the new ruling. In 2011, the CAFC found in favor of Myriad.
The Myriad case originated in 2009 when several plaintiffs, including the American Civil Liberties Union, filed a lawsuit challenging seven of Myriad Genetics’ (NASDAQ: MYGN) patents on the BRCA1 and BRCA2 genes and methods for interrogating the genes.
The question of gene patentability is of critical importance to pathologists, according to Roger D. Klein, M.D., J.D., a molecular pathologist and Chair of the Professional Relations Committee of the Association for Molecular Pathology (AMP). Klein observed in CAP Today that enforcement of gene patents in Myriad has interfered with pathologists’ ability to provide comprehensive interpretations involving multiple diagnostic test procedures. He asserted that the patents have also prevented pathologists from implementing cost-saving algorithms that reduce unnecessary testing.
Biotechnology in a “Minor Panic” Following Prometheus Ruling
According to a story in The Economist, the biotechnology industry is in a “minor panic” at the implications of the high court’s unexpected ruling in Prometheus.
Klein rejects the biotechnology industry’s argument that patent invalidation will jeopardize the advancement of personalized medicine. “I think it will produce tremendous advancement and accelerate progress,” he stated.
John H. Noseworthy, M.D., President and Chief Executive Officer of Mayo Clinic, agreed. “[The new ruling] will favorably impact patient care because it provides broad access to good-quality bedside testing,” he stated in a story published by The Wall Street Journal.
At this point, oral arguments in the Myriad case are scheduled for this summer. In reconsidering the Myriad case, the CAFC may reverse its previous ruling upholding the BRCA gene patents, Bierig speculated. Or, the case may end up in the Supreme Court for final determination.
“I think there’s a chance that the Supreme Court could now rule that the product of the genome is basically a natural phenomenon,” observed Bierig. Klein agreed, suggesting that the Prometheus decision probably renders the Myriad patent claims invalid.
Pathologists and clinical laboratory managers will want to continue to follow the surprising developments in these clinically-relevant patent cases. The Prometheus decision sent a clear message that the Supremes are positioned on the side of the “medical” rather than “commercial” ethic in the area of genetic patents.
For its part, the biotechnology industry may ultimately have to resort to seeking relief through congressional revision of patent law as it pertains to genes. Of course, it can be expected that the clinical laboratory testing profession would be actively educating Congressman should there be consideration of such legislation.
At issue is ability of biotech companies to hold patents on genes that might be used in clinical laboratory testing
Patents involving human genes have always been controversial among pathologists and clinical laboratory managers. This is one reason why many in the medical laboratory testing industry are following the progress of the well-publicized lawsuit that challenged certain patents involving human genes that are held by Myriad Genetics, Inc. (Myriad), of Salt Lake City, Utah.