Federal class action lawsuit looms as genetics company searches for what went wrong; a reminder to clinical laboratories of the importance of protecting patient information
Several years ago, security experts warned that biotechnology and genomics company 23andMe, along with other similar genetics companies, would be attacked by hackers. Now those predictions appear to have come true, and it should be a cautionary tale for clinical laboratories. In an October 6 blog post, the genetic testing company confirmed that private information from thousands of its customers was exposed and may be being sold on the dark web.
According to Wired, “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online forum where users can discuss internet hacking, cyberattacks, and database leaks, among other topics.
“Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” Wired reported, adding that “hundreds of thousands of users of Chinese descent” also appear to be impacted.
The leaked information included full names, dates of birth, sex, locations, photos, and both genetic and ancestry results, Bleeping Computer reported.
For its part, 23andMe acknowledges the data theft but claims “it does not see evidence that its systems have been breached,” according to Wired.
Anne Wojcicki (above) is the co-founder and CEO of genetics company 23andMe, which on October 24 told its customers in an email, “There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.” Clinical laboratories must work to ensure their patient data is fully secured from similar cyber theft. (Photo copyright: TechCrunch.)
23andMe Claims Data Leak Not a Security Incident
The data leaked has been confirmed by 23andMe to be legitimate. “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” a 23andMe spokesperson told Bleeping Computer.
However, according to the company, the leak does not appear to be a data security incident within the 23andMe systems. “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.
What the genetics company has determined is that compromised accounts were from users choosing the DNA Relative feature on their website as a means to find and connect to individuals related to them. Additionally, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials,” Bleeping Computer noted.
Price of Private Information
Following the 23andMe data leak, the private genetic information was quickly available online … for a price.
“On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased,” Bleeping Computer reported.
Stolen medical records are becoming hotter than credit card information, the experts say. “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, Bleeping Computer noted.
In its 2018 Global Security Report, “cybersecurity firm Trustwave pegged the black-market value of medical records at $250 each. Credit card numbers, on the other hand, sell for around $5 each on the dark web … while Social Security numbers can be purchased for as little as $1 each,” Fierce Healthcare reported.
Clinical laboratory managers and pathologists should take note of the value that the dark web places on the medical records of a patient, compared to the credit card numbers of the same individual. From this perspective, hacking a medical laboratory to steal patient health data can be much more lucrative than hacking the credit card data from a retailer.
“Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe,” according to court documents.
“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment,” Bloomberg Law noted. Additionally, the claim states that 23andMe “failed to provide prompt and adequate notice of the incident.”
Plaintiffs are “seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Bloomberg Law reported.
Preventing Future Data Leaks
Years of experts warning genetics companies like 23andMe that they need more strict data security have proven to be true. “This incident really highlights the risks associated with DNA databases,” Brett Callow, a threat analyst at data security firm Emsisoft, told Wired. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”
“Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping,” Wired noted.
Clinical laboratory databases are full of protected health information (PHI). Wise lab managers will work to ensure that their medical lab’s patient data is secure from today’s cyberthreats.
The merger is expected to boost investment in 23andMe’s consumer health and therapeutics businesses
After years of spectacular growth, the popularity of direct-to-consumer (DTC) genetic testing is beginning to wane. Nevertheless, opportunities still exist in the DTC genetic testing market for visionaries with funds to invest.
One such visionary is billionaire Richard Branson, founder of the multinational venture capital conglomerate Virgin Group (VG). Branson’s VG Acquisition Corp. (NYSE:VGAC), a special purpose acquisition company (SPAC), announced it is merging with 23andMe of Sunnyvale, Calif., to create a publicly-traded company with the New York Stock Exchange ticker symbol ME.
In a VG press release, Branson states his reason for the merger. “Of the hundreds of companies we reviewed for our SPAC, 23andMe stands head and shoulders above the rest,” he said. “As an early investor, I have seen 23andMe develop into a company with enormous growth potential. Driven by [CEO Anne Wojcicki’s] vision to empower consumers, and with our support, I’m excited to see 23andMe make a positive difference to many more people’s lives.”
According to a 23andMe press release, the deal values the company at approximately $3.5 billion and will net the consumer genetics and research company as much as $759 million in additional cash. Wojcicki and Branson each invested $25 million themselves as part of the $250 million fund to take the company public.
“As a fellow industry disruptor as well as an early investor in 23andMe, we are thrilled to partner with Sir Richard Branson and VG Acquisition Corp. as we approach the next phase of our business, which will create new opportunities to revolutionize personalized healthcare and medicine,” 23andMe co-founder and CEO Anne Wojcicki (above) said in the press release. “We have always believed that healthcare needs to be driven by the consumer, and we have a huge opportunity to help personalize the entire experience at scale, allowing individuals to be more proactive about their health and wellness. Through a genetics-based approach, we fundamentally believe we can transform the continuum of healthcare.” (Photo copyright: Inc. magazine.)
Participation in Research Key to Future of DTC Genetics Testing
Though DTC genetic testing kit sales have slowed in recent years for both 23andMe and rival Ancestry, Wojcicki believes the company’s database of 10 million customers—with 80% of customers agreeing to participate in research—is the key to its future.
“We have always seen health as a much bigger opportunity” than genealogy, Wojcicki told The Wall Street Journal (WSJ).
According to the WSJ, 23andMe customers fill out more than 30,000 surveys each day on health and related issues. With that information, the company has determined its database includes 1.7 million people with high cholesterol, nearly 1.6 million with depression and 539,000 with Type 2 diabetes, information that is highly valued by medical researchers and those running clinical trials.
Personalizing Healthcare through DTC Genetic Testing
Wojcicki expects the merger will propel the consumer DNA-testing company into personalized medicine and therapeutics. “We have always believed that healthcare needs to be driven by the consumer, and we have a huge opportunity to help personalize the entire experience at scale, allowing individuals to be more proactive about their health and wellness,” Wojcicki said in a statement. “Through a genetics-based approach, we fundamentally believe we can transform the continuum of healthcare.”
In August 2020, the US Food and Drug Administration “granted 23andMe a 510(k) clearance for a pharmacogenetics report on two medications—Clopidogrel, prescribed for certain heart conditions, and Citalopram, which is prescribed for depression,” 23andMe announced in a blog post.
“This impactful pharmacogenetics information can now be delivered without the need for confirmatory testing, a testament to the clinical validity of 23andMe results,” said Kathy Hibbs, 23andMe Chief Legal and Regulatory Officer, in the blog post. “23andMe remains the only company with direct-to-consumer pharmacogenetic reports cleared by the FDA.”
23andMe’s trove of genetic data already has netted it a partnership with GlaxoSmithKline (GSK). According to a GSK press release, in 2018, the two companies signed a four-year research and development agreement. The collaboration targets novel medicines and potential cures using human genetics as the basis for discovery.
COVID-19 Boosts 23andMe’s Sales
During a joint interview with Branson in Bloomberg News about the merger, Wojcicki said, “COVID-19 has really opened up doors.” Now more than ever, she said, people are interested in preventative healthcare. “I’ve had this dream since 2003 that genetics would revolutionize healthcare and that’s really the era I see we can now usher in,” she added.
As 23andMe pushes further into personalized therapeutics, clinical laboratories and pathology groups would be wise to watch and see if this new entrant accelerates healthcare’s shift to the precision medicine model of personalized care.
Fawning media coverage Theranos’ blood-test claims ended once experts spoke out, showing the importance of strong relationships between pathologist and journalists
Wall Street Journal (WSJ) reporter John Carreyrou’s investigation into former Silicon Valley darling Theranos is credited with turning the spotlight on the blood-testing company’s claims and questionable technology. However, Carreyrou’s investigation may never have happened without the assistance of Missouri pathologist Adam Clapper, MD, who tipped off the reporter to growing skepticism about Theranos’ finger-stick blood testing device.
Clapper’s involvement in Theranos’ fall from grace provides
a lesson on why anatomic
pathologists, clinical
pathologists, and other medical
laboratory leaders should cultivate strong working relationships with
healthcare journalists who seek out expert sources when covering lab-related
issues.
Dark Daily has written extensively about Theranos—once valued at nine billion dollars—and its founder and former CEO Elizabeth Holmes, whose criminal trial on nine counts of wire fraud and two counts of conspiracy to commit wire fraud is scheduled to begin this summer, noted the WSJ.
In 2018, Holmes and former Theranos President Ramesh “Sunny” Balwani settled a civil case with the Securities and Exchange Commission (SEC). Holmes agreed to pay a $500,000 penalty and relinquished control of Theranos. She also was barred from serving as Director of a public company for 10 years.
Theranos Investigation Would Not Have Occurred without
Clapper
Holmes founded Theranos in 2003 when she was 19 years old.
By 2013, Holmes had become a media sensation based on her claims that Theranos
had developed a medical technology that could run thousands of clinical
laboratory tests using the blood from a tiny finger-prick. And, she claimed, it
could do so quickly and cheaply.
By 2015, Carreyrou’s exposé in theWall Street Journal revealed Theranos’ massive deceptions and questionable practices. His series of stories kickstarted the company’s downfall. However, Carreyrou acknowledges his investigation would not have occurred if it were not for pathologist Clapper.
“Without Adam Clapper, I am almost 100% sure that I wouldn’t have done anything,” Carreyrou told the Missourian. “It was the combination of him calling me and telling me what he had found out and how he felt and my feelings about the New Yorker story that really got me on the call of this scandal,” he said.
Anatomic and clinical pathologist Adam Clapper, MD (above), became skeptical about Holmes’ claims after reading a profile on her in The New Yorker. In December 2014, Clapper ended a post on his now defunct Pathology Blawg by saying, “Until proven otherwise, I’m going to be skeptical of Theranos’ claims.” That comment became a starting point for Carreyrou’s later investigation into Theranos. (Photo copyright: Missourian.)
According to the Missourian, Clapper turned to
Carreyrou because the reporter had impressed him as “very fact-oriented and
fact-driven” during telephone interviews for a series Carreyrou had written the
year prior on Medicare fraud.
“I could hear his wheels spinning in his head as we were
talking the first time, then he definitely sounded interested and intrigued,”
Clapper told the Missourian. “And then I could tell he was even more so
because very soon thereafter—like half an hour after that initial
conversation—he’d already started to do some research into Theranos.”
Ten months later, the WSJ published Carreyrou’s first
installment of his series on Theranos.
“The fact that this tip originated from a guy in Columbia,
Missouri, thousands of miles from Silicon Valley—who never spoke to Elizabeth
Holmes, who had no connection to the company or even to Silicon Valley other
than he read about her claims in a magazine and knew a lot about this by virtue
of being a pathologist—tells you that the people who put in all the money in [Theranos]
didn’t spend enough time talking to experts and asking them what was feasible
and what wasn’t,” said Carreyrou.
Benjamin Mazer, MD (above), an anatomic and clinical pathology resident in pathology and lab medicine at Yale New Haven Hospital, argues pathologists’ voices were noticeably—and critically—absent from media coverage during Theranos’ decade-long ascension. “For many of us in the pathology community, the writing was on the wall long before Carreyrou’s article was published,” he wrote in Health News Review. “Had journalists consulted pathologists as expert sources, the news coverage of Theranos might have been less fawning and more skeptical. Patients might have been spared erroneous tests.” (Photo copyright: Yale University.)
The lawyers defending Holmes against criminal fraud charges are contending Carreyrou “went beyond reporting the Theranos story” by prodding sources to contact federal regulators about the company’s alleged frauds and “possibly biased the agencies’ findings against [Theranos],” Bloomberg News reported.
Carreyrou told New York Magazine he doesn’t blame reporters for hyping Holmes and the technology she touted.
“You could make a case that maybe they should have done more
reporting beyond interviewing her and her immediate entourage,” he said. “But
how much is a writer/reporter to blame when the subject is bald-face lying to
him, too?”
Nonetheless, the Theranos scandal offers a lesson to
pathologists and clinical laboratory professionals in the importance of
building good working relationships with healthcare journalists who not only
must accurately report on healthcare breakthroughs and developments, but also
need someone they can trust for an unbiased opinion.
Pathologists and clinical laboratory managers can tap into this highly skilled pool of medical lab technicians as servicemen and women reenter the U.S. workforce
Returning veterans who are experienced medical lab technicians are having trouble finding employers that recognize and credit their military training and experience. Clinical laboratories now actively recruiting lab technicians will want to learn more about the availability of these qualified candidates in their communities.
Still not known is how pathologists and clinical laboratories will be paid for medical lab tests
In classic cart-before-the-horse thinking, Vermont enacted a law to institute a single-payer universal-coverage healthcare system within the state, starting in 2017. However, this law does not specify how the new healthcare system will be funded. That is the next challenge for the Vermont legislature.
Dark Daily suspects that anatomic pathology groups and clinical laboratories in the Green Mountain State will have a keen interest in learning how this new healthcare system will be funded—and how pathology services and medical laboratory tests will be reimbursed.
Vermont’s governor—Peter Shumlin—signed H.202 on May, 26, 2011. It is a bit surprising that this news has not gotten much coverage by national news outlets. After all, this is a major innovation at the state level that will definitely re-shape healthcare services in the Green Mountain State.
