The recent cyberattack on the MyHeritage DNA and genealogy testing company compromised about 92 million user accounts, which makes this breach one of the largest known data breaches in the world. MyHeritage, based in Israel, has maintained that no genetic data was stolen during the cyberattack. Given the accelerating velocity of these cyberattacks and their overall success, we are seeing a rapidly increasing risk to the security of DNA data.
In 1999, the first human genome was sequenced at a cost of approximately $300 million. At the time, that was an amazing feat. The cost of this DNA sequencing then dropped to less than $14 million in 2006, and by 2015, less than $1,500. Today, there is a race to push the cost to sequence DNA at less than $100. All of this has fueled an explosion in genetic analysis and testing.
As a result, there are over 50 DNA testing companies that can be identified worldwide, and the list is growing almost every month. One industry analyst, Kalorama Information, estimates that the consumer market for genetic testing could grow from approximately $99 million in 2017 to approximately $310 million in 2022. Do the math and you will find that perhaps half a billion to three-quarters of a billion or more of the world’s population will have their DNA mapped over the next few years.
This DNA data is incredibly valuable and incredibly personal. Our DNA encoding is the most private data that we will ever possess and the ultimate definition of who we are.
More than a fingerprint or a retinal scan, let alone a password or cell phone number, this data defines who you are at the most intimate and complete level. The potential scale of the misuse of this data is without measure. We worry about protecting data like credit cards, social security numbers, passwords, and more, but these don’t compare with the potential future value of your DNA encoding, let alone the harm it could do in the wrong hands.
Initially, this DNA testing market gathered momentum around consumers who wanted to learn more about their family heritage. DNA testing could shed some light on your ancestry and traits. This rapidly evolved into a wave of people who are much more interested in benefiting from the healthcare implications of this data.
Companies like 23andME offer FDA-approved DNA services that can identify genetic health risks. For example, 23andME tests can provide information about BRCA1, the human tumor suppressor gene. If you have a positive test result which shows a mutation in the breast cancer genes (BRCA1, BRCA2), you might be at higher risk of developing breast or ovarian cancer compared to the population that doesn’t have the mutated gene, though it is not guaranteed that you will develop cancer. There are also tests for celiac disease, Alzheimer’s disease, Parkinson’s disease, thrombophilia, G6PD anemia, and more.
Can you imagine the interest in your genetic data to the less scrupulous health insurance companies worldwide? Would they deny you insurance?
How much money would they save if they knew you had a gene which indicated that you had a higher probability of developing a debilitating disease later in life? How much more profitable would they be? How many insurance companies in your country are owned by foreign nationals?
History tells us to hope for the best but to plan for the worse. These entities are not to be trusted with your DNA data.
Consider also that this information, like other stolen data, would likely be up for sale on the Dark Web, where almost anyone could acquire it. The unscrupulous insurance company may be the least of your worries. Once stolen, who else could acquire it and what would they do with it?
Consider the future shock of a world where this DNA information could be used to craft weapons that could specifically target you, and others like you, directly. Imagine how this could be used to craft viruses and other forms of attack based upon unlocking your genetic code.
Already biologics companies are creating drugs that target very specific cancer mutations. These drugs were designed to target these cells genetically. Individual people or groups of people could also be targeted in this way.
What rights do you have in all of this? What protection of your DNA data should you expect? In the U.S., the Health Insurance Portability and Accountability Act (HIPAA) normally protects your personal health information (PII) data. Unfortunately, the HIPAA regulation has a loophole in it so large that the DNA testing companies “can drive a bus through it.”
Patient data can be shared if, and only if, it has been anonymized. This means that identifying characteristics have been scrubbed from the data. This 1996 regulation did not anticipate the advent of genetic testing and was not written to protect against the release of genetic data specifically. Many of the genetic testing companies have already sold this data, claiming that it has been sufficiently anonymized. The devil is in the details around anonymization and exactly how it was implemented.
The biggest fallacy in all of this is the belief that anonymized DNA data is adequately protected. Several scientists have been able to deduce the identity of people behind anonymous samples of DNA found in public research and university databases.
The privacy protections offered by HIPAA seem insufficient and easily overcome when it comes to protecting DNA data.
The convergence of data privacy, cybersecurity, and genetic data seem destined for future conflict. Certainly, there needs to be additional legislation specifically pertaining to protecting human DNA data and appropriate uses. The 1996 HIPAA regulation likely needs a specific amendment to address and protect this incredibly valuable data, recognizing that this data should not be released, under any circumstances or conditions.
Further, as the MyHeritage attack has shown us, we need to aggressively protect this information in any form using hardened cyber defense technology like encryption. Legislation, regulation, and the most careful cyber hygiene need to be applied in liberal doses and on the fastest timeline possible.
About Pravin Kothari
Pravin Kothari founded CipherCloud in 2010 when he recognized that while the cloud was disrupting enterprise IT with explosive growth, security technologies had not kept pace and enterprises were losing control over their sensitive data. Kothari is a security visionary with more than 20 years of experience building industry-leading companies and bringing innovative products to market.