News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

Data Theft at 23andMe Leaks Genetic and Personal Information for Thousands, Targets Ashkenazi Jews and Chinese

Federal class action lawsuit looms as genetics company searches for what went wrong; a reminder to clinical laboratories of the importance of protecting patient information

Several years ago, security experts warned that biotechnology and genomics company 23andMe, along with other similar genetics companies, would be attacked by hackers. Now those predictions appear to have come true, and it should be a cautionary tale for clinical laboratories. In an October 6 blog post, the genetic testing company confirmed that private information from thousands of its customers was exposed and may be being sold on the dark web.

According to Wired, “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online forum where users can discuss internet hacking, cyberattacks, and database leaks, among other topics.

“Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” Wired reported, adding that “hundreds of thousands of users of Chinese descent” also appear to be impacted.

The leaked information included full names, dates of birth, sex, locations, photos, and both genetic and ancestry results, Bleeping Computer reported.

For its part, 23andMe acknowledges the data theft but claims “it does not see evidence that its systems have been breached,” according to Wired.

Anne Wojcicki

Anne Wojcicki (above) is the co-founder and CEO of genetics company 23andMe, which on October 24 told its customers in an email, “There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.” Clinical laboratories must work to ensure their patient data is fully secured from similar cyber theft. (Photo copyright: TechCrunch.)

23andMe Claims Data Leak Not a Security Incident

The data leaked has been confirmed by 23andMe to be legitimate. “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” a 23andMe spokesperson told Bleeping Computer.

However, according to the company, the leak does not appear to be a data security incident within the 23andMe systems. “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.

What the genetics company has determined is that compromised accounts were from users choosing the DNA Relative feature on their website as a means to find and connect to individuals related to them. Additionally, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials,” Bleeping Computer noted.

Price of Private Information

Following the 23andMe data leak, the private genetic information was quickly available online … for a price.

“On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased,” Bleeping Computer reported.

Stolen medical records are becoming hotter than credit card information, the experts say. “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, Bleeping Computer noted.

In its 2018 Global Security Report, “cybersecurity firm Trustwave pegged the black-market value of medical records at $250 each. Credit card numbers, on the other hand, sell for around $5 each on the dark web … while Social Security numbers can be purchased for as little as $1 each,” Fierce Healthcare reported.

Clinical laboratory managers and pathologists should take note of the value that the dark web places on the medical records of a patient, compared to the credit card numbers of the same individual. From this perspective, hacking a medical laboratory to steal patient health data can be much more lucrative than hacking the credit card data from a retailer.

Inevitable Federal Lawsuit

Regardless of what security measures the 23andMe site boasts, the breach quickly brought a proposed federal class action suit filed on October 9 in the US District Court for the Northern District of California. The suit, “filed by plaintiffs repressing all persons who had personal data exposed,” claims that information from Mark Zuckerberg, Elon Musk, and Sergey Brin were among the leak, Bloomberg Law reported.

“Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe,” according to court documents.

“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment,” Bloomberg Law noted. Additionally, the claim states that 23andMe “failed to provide prompt and adequate notice of the incident.”

Plaintiffs are “seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Bloomberg Law reported.

Preventing Future Data Leaks

Years of experts warning genetics companies like 23andMe that they need more strict data security have proven to be true. “This incident really highlights the risks associated with DNA databases,” Brett Callow, a threat analyst at data security firm Emsisoft, told Wired. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”

“Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping,” Wired noted.

Clinical laboratory databases are full of protected health information (PHI). Wise lab managers will work to ensure that their medical lab’s patient data is secure from today’s cyberthreats.

—Kristin Althea O’Connor

Related Information:

23andMe Blog Post: Addressing Data Security Concerns

23andMe Sued Over Hack of Genetic Data Affecting Thousands

23andMe Notifies Customers of Data Breach into Its ‘DNA Relatives’ Feature

Genetics Firm 23andMe Says User Data Stolen in Credential Stuffing Attack

23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews

Industry Voices—Forget Credit Card Numbers. Medical Records Are the Hottest Items on the Dark Web

Hacker Claims to Have Stolen Genetic Data from Millions Of 23andMe Users and Is Trying to Sell the Information Online

US District Court California Northern District (San Francisco) Civil Docket for Case #: 3:23-Cv-05147-EMC

2018 Trustwave Global Security Report

Ransomware Activity Targeting the Healthcare and Public Health Sector

23andMe Sued After Hacker Claims Massive Data Breach Impacting Ashkenazi Jews

Five Biggest Risks of Sharing Your DNA with Consumer Genetic-Testing Companies

The FTC Is Investigating DNA Firms Like 23andme and Ancestry over Privacy

American Society for Clinical Pathology Website Was Hacked Last Year, Possibly Exposing Credit Card Information of Members and Online Shoppers

Thousands of pathologists and medical technologists may have had their private data stolen, though ASCP investigators did not confirm this as having happened

For a “limited time period” in 2020, the American Society for Clinical Pathology (ASCP) was the target of a cyberattack that “potentially exposed payment card data as it was

being entered” on the ASCP website, according to a letter sent by McDonald Hopkins PLC to then Attorney General of the New Hampshire Department of Justice (DOJ) Gordon MacDonald.

In “World’s Largest Pathologists Association Discloses Credit Card Incident,” Bleeping Computer, an information security and technology news publication, reported that on March 11 of this year, ASCP employees discovered their system had been hacked. They discerned that between March 3, 2020, and November 6, 2020, the attackers had access to personal information being entered on the ASCP website.

Bleeping Computer noted that “[the ASCP’s] member list includes over 100,000 medical laboratory professionals, clinical and anatomic pathologists, residents, and students.”

In a statement, the ASCP said, “We have recently been informed that our e-commerce website was the target of a cybersecurity attack that, for a limited time period, potentially exposed payment card data as it was entered on our website.”

The information that may have been stolen includes data pertaining to individual credit cards, names, credit or debit card numbers, expiration dates, and security codes (CVV) associated with the cards.

“We engaged external forensic investigators and data privacy professionals and conducted a thorough investigation into the incident,” the ASCP said in the statement.

What Type of Cyberattack?

Evidence collected regarding the ASCP data breach indicates the attack was part of a web-skimming assault. This involves installing malicious software, such as Magecart, onto an e-commerce website. The software acts like a credit card skimmer enabling hackers to steal the payment and personal information of customers who are actively inputting data on the attacked website. The data is then sent to remote servers where it is used for identity theft or sold to others.

ASCP says it does not permanently store any of its customers’ payment card data on its servers, Bleeping Computer reported, which greatly reduces the potential risk of data exposure. In addition, the ASCP has implemented extra security measures to prevent similar incidents from happening in the future.

“We resolved the issue that led to the potential exposure on the website. We implemented additional security safeguards to protect against future intrusions. We continue ongoing intensive monitoring of our website, to ensure that it exceeds industry standards to be secure of any malicious activity,” the ASCP said in a statement, Bleeping Computer reported.

Peter-Blum-Group-Product-Manager-Google
In an interview with TechRepublic, Peter Blum (above), Group Product Manager at Google, discussed steps companies can take to proactively manage the threat of Magecart cyberattacks. “The best defense against Magecart attacks is preventing access,” Blum said. “Online companies need a solution that intercepts all of the API [application programming interface] calls your website makes to the browser and blocks access to sensitive data you have not previously authorized. This prevents any malicious script, or any non-critical third-party script, from gaining access to information your customers enter on your website. This same system should also have a monitoring component to alert companies when a third-party attempts to access sensitive information.” (Photo copyright: LinkedIn.)

Federal Rules and Regulations Concerning HIPAA and PHI

The ASCP stated they have no evidence that any customer data was misused after the incident occurred. As of May 14, the organization has not made an official, public statement regarding the situation on their website, but affected individuals and jurisdictions were sent letters to inform them of the data breach.

With over 130,000 current members, Chicago-based ASCP is the largest professional organization for pathologists and clinical laboratory professionals in the world. The organization did not respond to Dark Daily’s inquiries regarding the data breach.

Although no reported violations under the Health Insurance Portability and Accountability Act (HIPAA) occurred in this ASCP data breach, it should be noted that there are rules under HIPAA for data breaches where Protected Health Information (PHI) may have been compromised.

Under the HIPAA Breach Notification Rule, entities that were hacked must perform the following steps:

  • Notify affected individuals within 60 days of the discovery of the breach. Notification should include a brief description of the breach, the types of information that may have been compromised, steps affected individuals should take to protect themselves from potential harm, and a description of what the organization is doing to investigate the breach, mitigate the harm, and prevent further breaches.
  • Hacked entity must inform the Secretary of Health and Human Services (HHS) within 60 days of the breach discovery if 500 or more individuals were affected. For breaches affecting less than 500 people, the breached entity may notify the Secretary of such breaches on an annual basis.
  • For breaches affecting more than 500 individuals, the hacked entity must also provide a notification to prominent media outlets, typically via a press release, that serve the state or jurisdiction.

This breach of credit card information belonging to a sizeable number of pathologists and clinical laboratory professionals using the ASCP website should be a warning to all clinical laboratories and anatomic pathology groups—along with colleges, societies, and associations—that their websites and digital systems can be attacked at any time. As well, clinical laboratory and pathology professionals should be on the alert and take all necessary precautions to minimize the possibility of data breaches.

—JP Schlingman

Related Information:

World’s Largest Pathologists Association Discloses Card Incident

American Society for Clinical Pathology—Incident Notification

ASCP Disclosed Payment Card Web Skimming Incident

Magecart Attack: What It is, How it Works, and How to Prevent It

What is Magecart? How This Hacker Group Steals Payment Card Data

A Deep Dive into Magecart: What Is Magecart?

Compliance Perspectives: State Enforcement Raises Liability Risks of Data Breaches

Three Federal Agencies Warn Healthcare Providers of Pending Ransomware Attacks; Clinical Laboratories Advised to Assess Their Cyberdefenses

University of California San Diego Researchers Demonstrates How Easily Medical Laboratory Systems and Devices Can Be Compromised, Putting Patient Lives at Risk

WannaCry Ransomware Holds Critical Data Hostage Worldwide, Including UK’s National Health Service and Russia’s Interior Ministry

HHS Announces Culpability Limits for HIPAA Violations, Drops Annual Fines Owed by Providers

Clinical laboratories need to understand how their patients’ protected health information is being used and secured by vendors to avert data breaches and HHS penalties

Most readers of The Dark Report, the sister publication to the Dark Daily, are aware that more than 24-million clinical laboratory patients had their protected health information (PHI) stolen during several recent data breaches involving multiple medical laboratory companies.

The first public statements made by clinical lab companies about breaches of protected health information were issued in June. Collectively, the following three lab companies announced that the data of more than 20 million patients was compromised:

In the eight weeks that followed, additional medical laboratory companies publicly disclosed breaches of their patient data, including:

What all these clinical lab companies had in common was that they had contracted with American Medical Collection Agency (AMCA) to process lab test claims. AMCA is where the data breaches originated.

Under the rules established by the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996, responsibility for the security of patient PHI falls to covered entities and business associates. This includes healthcare providers, health plans, and healthcare clearinghouses, such as AMCA. For clinical laboratories, this also includes vendors who receive patients’ PHI to complete their service contracts.

Until recently, any violation of HIPAA could draw down enormous fines—called Civil Money Penalties (CMPs)—by the US Department of Health and Human Services (HHS). Fines could reach $1.5 million annually across four categories, or tiers, of violations, depending on HHS’ determination as to the “level of culpability” of the violator. Those categories and min/max fines include:

  • No Knowledge, $100-$50,000 fine, $1.5 mil annual limit.
  • Reasonable Cause, $1,000-$50,000 fine, $1.5 mil annual limit.
  • Willful Neglect-Corrected, $10,000-$50,000, $1.5 annual limit.
  • Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit.

Earlier this year, HHS released a “Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties.” In it, HHS revised its interpretation of the law and reduced CMPs, while more clearly defining how provider culpability ties to the ultimate amount of the fines:

  • No Knowledge, $100-$50,000 fine, $25,000 annual limit.
  • Reasonable Cause, $1,000-$50,000 fine, $100,000 annual limit.
  • Willful Neglect-Corrected, $10,000-$50,000, $250,000 annual limit.
  • Willful Neglect-Not Corrected, $50,000-$50,000, $1.5 annual limit

In the notice, HHS stated, “the Department recognized that section 13410(d) contained apparently inconsistent language (i.e., its reference to two penalty tiers ‘for each violation,’ each of which provided a penalty amount ‘for all such violations’ of an identical requirement or prohibition in a calendar year). To resolve this inconsistency, with the exception of violations due to willful neglect that are not timely corrected, the [interim final rule] adopted a range of penalty amounts between the minimum given in one tier and the maximum given in the second tier for each violation and adopted the amount of $1.5 million as the limit for all violations of an identical provision of the HIPAA rules in a calendar year.”

Modern Healthcare reports that “organizations that have taken measures to meet HIPAA’s requirements will face a much smaller maximum penalty than those who are found neglectful.”

Thus, the new HHS guidelines will be of interest to clinical laboratories, which must ensure the privacy of patients’ PHI, including being keenly aware of how vendor business associates are handling their patients’ data.

In an exclusive interview with The Dark Report, James Giszczak (above), Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins, said two important steps clinical laboratories must take include, “ensuring that your vendor has appropriate insurance policies in place that cover PHI breaches, and confirming that vendors comply with laws governing the protection of patients’ information.” To do that, he says, every lab needs to ensure that all critical provisions are covered in each contract it has with each vendor. (Photo copyright: Institute of Continuing Legal Education.)

Did HHS Go Too Far?

Some experts, however, wonder if HHS went too far in reducing annual penalties providers may owe. Could lower annual CMP caps cause organizations to relax strict PHI policies? Some privacy authorities urge caution and raise concern about how incentives may be perceived by providers and others.

“HHS is adopting a much lower annual cap for all violations except those due to willful neglect, which means significantly lower penalties for large breaches and for ongoing persistent violations of the rules,” Deven McGraw, Chief Regulatory Officer at Citizen Corporation and former Deputy Director Health Information Privacy for HHS’ Office for Civil Rights, told FierceHealthcare.

“Arguably,” she continued, “the incentive to fix these persistent failures is much less because the potential fines for failing to do so will not be very large. Same is true for large breaches—if you breach 10 records, at a minimum penalty of $1,000 for a breach due to reasonable cause, your fine would be $100,000, which is the annual cap.”

New Annual Limits Recognize ‘Unintentional’ Violations

But not all experts agree. Prior to HHS’ announcement, minimum to maximum penalty violations were the same as noted in the tiers above. The annual limits ($1.5 million), however, were the same for each of the four tiers.

Matthew Fisher, Partner at Mirick O’Connell and Chair of the Worcester, Mass. firm’s health law group, says the new penalty structure “is arguably good in terms of aligning potential penalties with the level of culpability.”

“If a violation was clearly unintentional and without knowledge, why should a potentially massive fine follow? While the discretion existed, the interpretation will now be binding and remove the potential uncertainty,” he told FierceHealthcare.

Advice for Clinical Laboratories

Labs are advised to develop appropriate procedures to safeguard their patients’ PHI under federal and state laws. And this includes knowing how vendors handle PHI. 

“Every lab should be proactive and do a review to understand each vendor’s policies, procedures, training, and response in the event of a breach,” James Giszczak, Data Privacy and Cybersecurity Attorney and Chair of the Litigation Department at McDonald Hopkins in Bloomfield Hills, Mich., told The Dark Report (TDR).

“By being prepared, clinical laboratories can save themselves many headaches,” he said. “Ultimately, these proactive steps may help laboratories save time, money, and costly bad publicity.”

Following that advice, along with understanding the new HHS notice, will help medical laboratory managers ensure the privacy and security of their client’s PHI.

—Donna Marie Pocius

Related Information:

HHS Implements HIPAA Fine Caps Based on Level of Culpability

Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties

HHS Moves to Reduce HIPAA Fines Lowering the Cap More Than $M for Some Violations

HHS to Cap HIPAA Fines Based on “Culpability”

Labs Should Heed Lessons from Huge Data Breach

Late-Breaking Lab News: Add Eight More Laboratories to the List of Lab Companies Whose Patient Data Were Breached

;