Federal class action lawsuit looms as genetics company searches for what went wrong; a reminder to clinical laboratories of the importance of protecting patient information
Several years ago, security experts warned that biotechnology and genomics company 23andMe, along with other similar genetics companies, would be attacked by hackers. Now those predictions appear to have come true, and it should be a cautionary tale for clinical laboratories. In an October 6 blog post, the genetic testing company confirmed that private information from thousands of its customers was exposed and may be being sold on the dark web.
According to Wired, “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online forum where users can discuss internet hacking, cyberattacks, and database leaks, among other topics.
“Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” Wired reported, adding that “hundreds of thousands of users of Chinese descent” also appear to be impacted.
The leaked information included full names, dates of birth, sex, locations, photos, and both genetic and ancestry results, Bleeping Computer reported.
For its part, 23andMe acknowledges the data theft but claims “it does not see evidence that its systems have been breached,” according to Wired.
Anne Wojcicki (above) is the co-founder and CEO of genetics company 23andMe, which on October 24 told its customers in an email, “There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.” Clinical laboratories must work to ensure their patient data is fully secured from similar cyber theft. (Photo copyright: TechCrunch.)
23andMe Claims Data Leak Not a Security Incident
The data leaked has been confirmed by 23andMe to be legitimate. “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” a 23andMe spokesperson told Bleeping Computer.
However, according to the company, the leak does not appear to be a data security incident within the 23andMe systems. “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.
What the genetics company has determined is that compromised accounts were from users choosing the DNA Relative feature on their website as a means to find and connect to individuals related to them. Additionally, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials,” Bleeping Computer noted.
Price of Private Information
Following the 23andMe data leak, the private genetic information was quickly available online … for a price.
“On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased,” Bleeping Computer reported.
Stolen medical records are becoming hotter than credit card information, the experts say. “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, Bleeping Computer noted.
In its 2018 Global Security Report, “cybersecurity firm Trustwave pegged the black-market value of medical records at $250 each. Credit card numbers, on the other hand, sell for around $5 each on the dark web … while Social Security numbers can be purchased for as little as $1 each,” Fierce Healthcare reported.
Clinical laboratory managers and pathologists should take note of the value that the dark web places on the medical records of a patient, compared to the credit card numbers of the same individual. From this perspective, hacking a medical laboratory to steal patient health data can be much more lucrative than hacking the credit card data from a retailer.
“Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe,” according to court documents.
“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment,” Bloomberg Law noted. Additionally, the claim states that 23andMe “failed to provide prompt and adequate notice of the incident.”
Plaintiffs are “seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Bloomberg Law reported.
Preventing Future Data Leaks
Years of experts warning genetics companies like 23andMe that they need more strict data security have proven to be true. “This incident really highlights the risks associated with DNA databases,” Brett Callow, a threat analyst at data security firm Emsisoft, told Wired. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”
“Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping,” Wired noted.
Clinical laboratory databases are full of protected health information (PHI). Wise lab managers will work to ensure that their medical lab’s patient data is secure from today’s cyberthreats.
‘Balwani is no Johnny Depp,’ says an expert on juror behavior, as prosecution and defense rest in fraud trial of the former executive of the now-defunct lab test company
Clinical Laboratory directors and pathologists continue to focus like a laser beam on the trials of former founders and executives of the now-defunct blood test company Theranos. But as the criminal fraud trial of ex-president and COO Ramesh “Sunny” Balwani comes to a close, legal experts maintain the 57-year-old businessman may face an uphill battle to win an acquittal.
Balwani faces 12 counts of wire fraud and conspiracy to commit wire fraud while serving as second in command at Theranos, the former Silicon Valley medical laboratory test startup. The fraud trials of Balwani and Theranos founder Elizabeth Holmes have made headlines for more than a year as the two once-high-flying executives face a reckoning for allegedly defrauding patients, investors, and physicians about their proprietary Edison blood-testing device, which they claimed could conduct hundreds of blood tests using a finger-prick of blood.
Before resting their case, Balwani’s defense team called only two witnesses: information-technology consultant Richard Sonnier III, and naturopathic physician Tracy Wooten, NMD, of Arizona, who sent more than 100 patients to Theranos.
According to The Wall Street Journal(WSJ), Wooten “backtracked some of her support for Theranos on the stand.”
The WSJ reported that Sonnier’s testimony “had been hotly litigated by attorneys,” and that US District Judge Edward Davila ruled in May that Sonnier would be permitted to testify—with limitations—about the Theranos Laboratory Information System (LIS), which contained patient test results.
Theranos LIS Not Accessible to Government Prosecutors
Sonnier was hired by Balwani’s legal team to assess the accessibility of data held in the LIS, which the defense believed would have provided evidence of Theranos test accuracy.
The WSJ noted that in 2018, the year Balwani and Holmes were indicted, the government subpoenaed a copy of the LIS, which Theranos provided. However, the LIS data was delivered on an encrypted hard drive.
“Not only was the hard drive itself encrypted, but the data it contained was also encrypted with a separate passcode required,” the WSJ wrote. “The government didn’t have the passcode to access the data, and a day or two after sending the hard drive to US attorneys, Theranos officials ordered the entire original database dismantled, according to court testimony.”
The WSJ reported that Sonnier testified he was unable to access the encrypted data on a backup hard drive despite having a list of possible passcodes found in Theranos documents. Sonnier also testified that it would have been “very straightforward” to reassemble the original LIS and “recover that data.” The missing password wouldn’t be an issue, Sonnier testified.
Ramesh “Sunny” Balwani (above) ex-president and COO of now defunct blood test startup Theranos, faces 12 counts of wire fraud and conspiracy to commit wire fraud. In an interview with Insider, an expert in conducting jury research, focus groups, witness preparation, and jury selections said that “both the evidence and the way Balwani is perceived would affect his chances of being acquitted.” And that, “He has a lot of problems that [Elizabeth Holmes] didn’t have. He kind of fits the part from a juror’s standpoint.” Clinical laboratory directors will learn much from how Balwani’s role as the primary decision-maker in the Theranos lab is perceived by the jury. (Photo copyright: Justin Sullivan/Getty Images/Newsweek.)
The Prosecution Rests
Federal prosecutors rested their case last month after calling more than 24 witnesses. The government alleges Balwani worked closely with Holmes and conspired with her to defraud investors and patients about the startup’s blood testing technology. They allege he knew about the accuracy and reliability problems that plagued Theranos’ Edison blood-testing device.
Holmes was convicted in January on three of the nine fraud counts and one of two conspiracy counts. She was acquitted on four counts related to defrauding patients, one charge of conspiracy to commit wire fraud and three charges of wire fraud.
While prosecutors failed to persuade jurors that Holmes intentionally sought to defraud patients, Bloomberg legal reporter Joel Rosenblatt told the Bloomberg Law Podcast he believes Balwani is “inherently more vulnerable” on the patient-related fraud counts because he “oversaw” the operation of Theranos’ clinical laboratories.
“As a result of that role, [Balwani] was more aware of not only the faulty Theranos blood test results, but all the problems that employees were pointing out about those results,” Rosenblatt added. “So, he was the first high-level executive to be dealing with those complaints.”
Rosenblatt noted that Balwani’s defense centers not only on trying to show that Theranos’ proprietary blood-testing machine worked, but that it “works maybe well enough or worked as well as other [medical] laboratories.” He said Balwani also maintains that Holmes, as CEO and founder, was in charge long before he joined Theranos as president.
“It’s a difficult argument to make because all the emails show how cooperative they were, how closely they worked together. They were intimately involved but they were working side by side for years and really during the years where all the money started coming in,” Rosenblatt said in the podcast.
“He has a lot of problems that [Elizabeth Holmes] didn’t have,” Taylor said. “He kind of fits the part from a juror’s standpoint. He’s got the power, the authority, he’s got the personal traits that make the allegations more credible from a perceptual standpoint for the jury.”
In contrast, Taylor says, “People don’t love Elizabeth Holmes, but I think what she had going for her was that she pitched herself as a true believer in the company. She was the voice and the face of Theranos.”
‘Balwani is not Johnny Depp’
While a jury recently awarded actor Johnny Depp significantly more damages than actress Amber Heard in their well-publicized defamation trial, Taylor maintains jurors are unlikely to view Balwani as a sympathetic figure.
“Sunny Balwani is not Johnny Depp. He doesn’t have the halo that Johnny Depp has, or the fan base,” Taylor said. “He does not present as that type of person, so I don’t know that the jurors will have any sympathy towards him. And I think they would actually be more inclined to believe Holmes’ allegations.”
The Theranos fraud trials of Holmes and Balwani continue to capture the attention of clinical laboratory directors and pathologists who are now witnessing the final chapters in the downfall of the one-time Silicon Valley power couple.
