Federal class action lawsuit looms as genetics company searches for what went wrong; a reminder to clinical laboratories of the importance of protecting patient information
Several years ago, security experts warned that biotechnology and genomics company 23andMe, along with other similar genetics companies, would be attacked by hackers. Now those predictions appear to have come true, and it should be a cautionary tale for clinical laboratories. In an October 6 blog post, the genetic testing company confirmed that private information from thousands of its customers was exposed and may be being sold on the dark web.
According to Wired, “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online forum where users can discuss internet hacking, cyberattacks, and database leaks, among other topics.
“Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” Wired reported, adding that “hundreds of thousands of users of Chinese descent” also appear to be impacted.
The leaked information included full names, dates of birth, sex, locations, photos, and both genetic and ancestry results, Bleeping Computer reported.
For its part, 23andMe acknowledges the data theft but claims “it does not see evidence that its systems have been breached,” according to Wired.
Anne Wojcicki (above) is the co-founder and CEO of genetics company 23andMe, which on October 24 told its customers in an email, “There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.” Clinical laboratories must work to ensure their patient data is fully secured from similar cyber theft. (Photo copyright: TechCrunch.)
23andMe Claims Data Leak Not a Security Incident
The data leaked has been confirmed by 23andMe to be legitimate. “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” a 23andMe spokesperson told Bleeping Computer.
However, according to the company, the leak does not appear to be a data security incident within the 23andMe systems. “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.
What the genetics company has determined is that compromised accounts were from users choosing the DNA Relative feature on their website as a means to find and connect to individuals related to them. Additionally, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials,” Bleeping Computer noted.
Price of Private Information
Following the 23andMe data leak, the private genetic information was quickly available online … for a price.
“On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased,” Bleeping Computer reported.
Stolen medical records are becoming hotter than credit card information, the experts say. “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, Bleeping Computer noted.
In its 2018 Global Security Report, “cybersecurity firm Trustwave pegged the black-market value of medical records at $250 each. Credit card numbers, on the other hand, sell for around $5 each on the dark web … while Social Security numbers can be purchased for as little as $1 each,” Fierce Healthcare reported.
Clinical laboratory managers and pathologists should take note of the value that the dark web places on the medical records of a patient, compared to the credit card numbers of the same individual. From this perspective, hacking a medical laboratory to steal patient health data can be much more lucrative than hacking the credit card data from a retailer.
“Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe,” according to court documents.
“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment,” Bloomberg Law noted. Additionally, the claim states that 23andMe “failed to provide prompt and adequate notice of the incident.”
Plaintiffs are “seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Bloomberg Law reported.
Preventing Future Data Leaks
Years of experts warning genetics companies like 23andMe that they need more strict data security have proven to be true. “This incident really highlights the risks associated with DNA databases,” Brett Callow, a threat analyst at data security firm Emsisoft, told Wired. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”
“Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping,” Wired noted.
Clinical laboratory databases are full of protected health information (PHI). Wise lab managers will work to ensure that their medical lab’s patient data is secure from today’s cyberthreats.
Privacy concerns have one tech giant suggesting alternatives to sharing potentially identifiable location tracking data
Expect an interesting debate on the use of location tracking as a way to manage this and future pandemics. It is a debate that has implications for clinical laboratories. After all, if location tracking identifies individuals who may have been exposed to an infectious disease, will health authorities want those individuals to be immediately tested?
Location tracking has been around for quite some time. Anyone who owns a smartphone knows that digital map and navigation software applications (apps) locate our position and track our movements. That’s how they work. Maps are good. But does collecting and sharing location tracking data violate personal privacy laws that some Silicon Valley tech giants want to use to help public health officials track disease? Maybe.
Google, Facebook, and other tech companies have been talking to the US federal government about ways to use location tracking data from smartphones and online software applications to combat the spread of SARS-CoV-2, the coronavirus that causes the COVID-19 illness, reported the Washington Post.
The tracking data could be used by public health officials
to spot disease outbreaks in populations and predict how it might spread. Analyzing
the data generated by smartphone tracking and reporting apps also could be used
to identify individuals who may have been exposed to the coronavirus, and who should
get clinical laboratory tests to determine if they need medical intervention.
However, Google is apparently resistant to using its collected location data to track and identify individuals. Instead, Google Health’s Head of Communications and Public Affairs, Johnny Luu, said Google was “exploring ways that aggregated anonymized location information could help in the fight against COVID-19. One example could be helping health authorities determine the impact of social distancing, similar to the way we show popular restaurant times and traffic patterns in Google Maps,” said Luu in a statement. He stressed, though, that any such arrangement “would not involve sharing data about any individual’s location, movement, or contacts,” reported the Washington Post.
Can Privacy be Maintained While Tracking Disease?
Google’s sister company, Verily, launched a screening website in March for people who believe they may have COVID-19. The pilot program is only available to some California residents. Users of the service complete a series of online questions to determine their coronavirus risk and whether or not they should seek medical attention.
To use the service, individuals must log into the site using
a Google account and sign a consent authorization form which states data
collected may be shared with public health officials, a move that has received
criticism.
Jacob Snow, JD, a technology and civil liberties attorney with the American Civil Liberties Union (ACLU) of Northern California, expressed concerns about Verily’s program. “COVID-19 testing is a vital public necessity right now—a core imperative for slowing this disease,” he told CNET. “Access to critical testing should not depend on creating an account and sharing information with what is, essentially, an advertising company.
“This is how privacy invasions have the potential to
disproportionately harm the vulnerable,” he continued. “Google should release
this tool without those limits, so testing can proceed as quickly as possible.”
Facebook, on the other hand, has had a Disease Prevention Map program in place for about a year. This program provides location information provided by individuals who choose to participate to health organizations around the globe.
“Disease prevention maps have helped organizations respond to health emergencies for nearly a year and we’ve heard from a number of governments that they’re supportive of this work,” said Laura McGorman, Policy Lead, Data for Good at Facebook, in a statement, reported CNET. “In the coronavirus context, researchers and nonprofits can use the maps, which are built with aggregated and anonymized data that people opt in to share, to understand and help combat the spread of the virus.”
Researchers at Carnegie Mellon University worked with Facebook to create the COVID-19 Symptom Map (above), which is based on aggregated data drawn from self-reported symptoms Facebook. The map, which updates regularly, is viewable by day, counties, hospital referral regions, and COVID-19 symptoms. “This is work that social networks are well-situated to do. By distributing surveys to large numbers of people whose identities we know, we can quickly generate enough signal to correct for biases and ensure sampling is done properly,” wrote Mark Zuckerberg, Facebook founder and CEO, in a Washington Post op-ed about the Carnegie Mellon’s results, reported MobiHealthNews. (Graphic copyright: Facebook/Business Insider.)
Privacy Organizations Voice Concerns
Privacy and civil liberties issues regarding the collection
and use of smartphone data to curtail the pandemic are of concern to some organizations.
There may be legal and ethical implications present when using personal data in
this manner.
Al Gidari, JD, Director of Privacy, Center for Internet and Society at Stanford University Law School, says the balance between privacy and pandemic policy is a delicate one, reported the Washington Post. “The problem here is that this is not a law school exam. Technology can save lives, but if the implementation unreasonably threatens privacy, more lives may be at risk,” he said.
In response to public privacy concerns following the Washington
Post’s report, representatives for Google and Facebook said the companies
have not shared any aggregated and anonymized data with the government
regarding contact
tracing and COVID-19, reported the Washington Post.
Google reiterated that any related projects are still in their early stages and that they are not sure what their participation level might look like. And, CEO Mark Zuckerberg stated that Facebook “isn’t prepared to turn over people’s location data en masse to any governments for tracking the coronavirus outbreak,” reported CNET.
“I don’t think it would make sense to share people’s data in a way where they didn’t have the opportunity to opt in to do that,” Zuckerberg said.
The potential use of location tracking data, when combined
with other information, is one example of how technology can leverage non-medical
information and match it with clinical data to watch population trends.
As of April 23, there were 2,637,911 confirmed cases of COVID-19 and 184,235 deaths from the coronavirus worldwide, according to www.worldometers.info/coronavirus. And, cases of coronavirus disease have been reported in 213 countries according to the World Health Organization (WHO).
As testing increases, more cases will be reported and it is
unknown how long the virus will continue to spread, so advocates of location
tracking and similar technologies that can be brought to bear to save lives during
a disease outbreak may be worth some loss of privacy.
Pathologists and medical laboratory professionals may want
to monitor the public debate over the appropriate use of location tracking.
After all, at some future point, clinical laboratory test results of
individuals might be added to location tracking programs to help public health
authorities better monitor where disease outbreaks are occurring and how they are
spreading.