Navigating the fallout: 23andMe’s data breach and the ethics of consumer genetic testing

0

By unlocking secrets encrypted within our DNA, genetic testing has become a powerful tool, offering valuable insights about our health, ancestry, and fertility. It unveils not only our physical characteristics but also tells a unique biological story, shedding light on our potential health and life outcomes. Despite our incomplete understanding of the human genome, which continues to grow, millions of people have turned to genetic testing to provide a glimpse of the distinct factors that make us who we are.

However, as the allure to unravel the complexities behind the genetic code rises, so do the ethical implications, specifically when it comes to protecting some of our most valuable personal information. The tension that exists between protecting individuals’ privacy while at the same time making genetic testing increasingly available took centre stage during a major data breach at 23andMe, a renowned American genetic testing and biotechnology company.

In October 2023, 23andMe experienced a significant data breach. In order to obtain personal data stored within the 23andMe database, hackers used a technique known as credential stuffing, where they exploited the compromised login details reused by 23andMe customers from other services. Through this method, hackers gained access to about 14,000 profiles, or 0.1% of 23andMe’s user accounts. The breach further affected an additional 5.5 million customers who were using 23andMe to connect with genetically similar individuals via the DNA Relatives feature. Moreover, an additional 1.4 million profiles’ family tree information were also compromised. In total, approximately 6.9 million people, making up almost half of 23andMe’s customers, were impacted by the data breach.

In many cases, hackers obtained the names, relationship labels, birth years, self-reported locations, family trees, and various other profile information from users. They soon began selling each account for between $1 and $10. Subsequently, they publicly released the information of 4 million 23andMe customers.

In response to the mass breach, 23andMe implemented reactive measures to enhance user protection. They required all of its users to change their passwords, ensuring that every customer gained new credentials, thereby reducing the risk of another credential stuffing attack. They also implemented two-factor authentication (2FA) for their customers, enhancing the overall security of user accounts. Notably, other consumer genetic services like myHeritage and Ancestry adopted similar policies.

Consumer genetic testing, genetic testing companies must embrace a stronger ethical obligation to protect their customers and prioritize data security.

The major privacy breach experienced by 23andMe shed light on the lucrative nature of genetic data for hackers, particularly given our society’s widespread interest in DNA and genetic code. Police agencies, for instance, may seek out genetic databases to track down criminals; researchers may use genetic information to further medical knowledge; and insurance companies may use it to assess an individual’s health risks and determine insurance premiums.

In the 23andMe breach, hackers revealed the interpreted genetic information of millions of consumers, showcasing some of the most practically useful data stored on genetic testing sites for both hackers and their clients. In contrast to interpreted genetic information, the raw genetic code is made of 4 nucleotides (AGCT) and requires genetic literacy for comprehension. Consequently, the interpreted genetic information, which includes someone’s health depositions, ancestry, and fertility, holds greater significance when made publicly available.

The release of genetic data from 23andMe holds substantial implications now that it is in the public domain. The information may be used to create genetic discrimination in places without relevant legislation, leading to increased insurance costs for people genetically predisposed to diseases or even mortgage denials for those deemed unlikely to settle their debt before they die. While law enforcement agencies and most companies will unlikely seek out information acquired through data breaches intentionally, the origin of data available on the internet is often unclear. Ultimately, assuming that information resulting from a hack will remain untouched is unrealistic, which adds an increased layer of uncertainty to the use of exposed genetic data.

In conventional data breaches involving financial and personal information, an individual can change their information to reduce the risk associated with the breach; however, genetic information is unalterable. This unchanging nature intensifies privacy concerns, especially when considering the fact that genetic information can be involuntarily shared. For example, if someone’s relative uses 23andMe, they become genetically searchable because they are genetically related. In cases with identical twins, the genetic data of one individual will directly reveal information about the other. In short, the immutable and indirect nature of sharing genetic information complicates the challenges associated with protecting personal information.

In addition to the significance of protecting consumers’ genetic data, there exist other ethically relevant considerations associated with consumer-led genetic testing. One of these considerations involves the lack of accuracy associated with test results. Genetic health reports are prone to false positives and are often unregulated. Moreover, it is crucial to recognize that these tests compare a person’s genotype to a limited number of genetic variants, and most diseases are influenced by not only genetic factors but also environmental factors. As a result, genetic testing does not necessarily provide conclusive results in determining if a customer will develop the genetic disease. The uncertainty associated with genetic test results may lead some consumers to experience unanticipated confusion and/or distress, particularly if their genetic report indicates that they may develop a disease with no known cure and insofar as no genetic counsellor is readily available (due to the genetic test being done at a consumer-level). Although access to one’s genetic information may be desired and empowering for some individuals, the potential uncertainty and/or undesired consequences should be contemplated during one’s decision-making process.

 To address many of the ethically relevant challenges associated with consumer genetic testing, genetic testing companies must embrace a stronger ethical obligation to protect their customers and prioritize data security. This commitment should extend beyond the minimal legal requirements. Companies ought to be transparent about their data sampling, usage, and storage practices, take proactive steps to reduce the risk of breaches, and implement rigorous encryption measures. Additionally, if stronger consumer genetic testing regulations are implemented, then this would help to ensure that consumer genetic information has the same level of protection as other personal health information. Such steps will not only improve the security of genetic information but also the trust between consumers and genetic testing companies.

By Keithan Vigna

Keithan Vigna is currently completing his BHSc in Honours Biochemistry at McMaster University. Keithan has a particular interest in biomedical ethics, with a specific focus on the responsible utilisation of sensitive health information, data privacy, and the ethical considerations surrounding artificial intelligence in healthcare. The author would like to acknowledge Andria Bianchi for her editorial support.