DNA Database Risks to Privacy and Safety

It was only a matter of time. The recent announcement that GlaxoSmithKline bought a $300 million dollar stake in the leading genomics company 23andMe and now has exclusive rights to 23andMe’s DNA data for drug testing research should come as no surprise to those of you who have been watching the intersection of technology companies and genomics. DNA, the ultimate identifying personal information, is now a commodity like the rest of your data. It’s official: nothing is sacred.

Over five million people have spat in a test tube, paid a fee, and sent their samples to 23andMe for analysis; about 80% have consented via an online consent form to allow their data to be used for research purposes. Now that big business has become involved, and those customers realize that the DNA that they paid out of pocket to have analyzed has been sold to and is now essentially the property of a pharmaceutical giant to be used for monetary gain, many are outraged.

Granted, the data was supposedly de-identified and aggregate in nature, and 23andMe had been sharing it with at least 6 other drug companies in the past few years, but still. The customers who checked the “share my data for research” box thought they were doing something heroic and altruistic, and perhaps they have; in any event GlaxoSmithKline would wholeheartedly agree as part of their PR strategy. The awful feeling remains though if you are one of these trusting customers: you now know you’ve actually paid to have a drug maker get rich off your saliva. You’ve been duped. You’ve been had.

I haven’t seen it mentioned yet in the press, but this brings to mind the infamous case of Henrietta Lacks, an African-American patient who did not consent to and was unaware that an immortal cell line (HeLa) had been cultured from her tumor biopsy in 1951 at Johns Hopkins (with further samples taken at her autopsy). Furthermore, this immortal cell line was used not only for research (Jonas Salk used it to develop his polio vaccine) but also for commercial purposes to generate profit. The Lacks family was never compensated. Worse still, the HeLa genome—and hence their personal genetic data– was made public without their consent. The extreme violation of privacy to which the Lacks family was subject over the decades is singular, but may be singular no more.

In an era where profit is king, what’s to stop parties from buying your actual DNA sample and replicating it—or you, one day?

You can withdraw your consent to share DNA data, but it takes 30 days to take effect, and any data that’s been shared already can’t be taken back from the companies who now have it. You cannot have your data scrubbed from the books; by federal law, clinical labs are required to keep data on file for 10 years. You’re stuck.

And perhaps you’re ok with this; let the pharma companies get rich, if it means that treatments for diseases comes from the research. After all, if not for the unknowing and unwilling contribution of Henrietta Lacks, polio might not have been conquered. But wait. When there is that much money at stake, how can you trust these companies to act ethically and honorably?

According to a recent Wired article, 23andMe acknowledges that a DNA database is not enough, and phenotypic data is crucially needed to correlate with the DNA information. To this end, they send customers endless questionnaires and happily capitalize on the average Joe’s willingness to talk about himself or herself. Did I say Joe? I meant Patsy.

Once you supplement your DNA information with voluntarily donated phenotypic data about your height, weight, allergies, preferences and medical conditions, you have basically voluntarily assisted 23and Me to circumvent HIPAA with your own two hands. What’s so dangerous about this? Your previously “de-identified” data is now potentially identifiable. You can be “doxxed,” or identified as you, down to your address and social security number. How?

A recent CNBC article revealed that Facebook was recently in talks with several major hospitals and medical groups about a proposal to share data about the social networks of patients and include data about medical conditions and prescriptions. This would then presumably be cross-referenced against every profile on Facebook (are you regretting that post about your gall bladder surgery yet?) and it would be easy to identify individuals.

“The idea was to build profiles of people that included their medical conditions, information that health systems have, as well as social and economic factors gleaned from Facebook. Facebook said the project is on hiatus so it can focus on “other important work, including doing a better job of protecting people’s data.” (Christina Farr, Wired).

In other words, before it was exposed, Facebook was hoping to circumvent HIPAA and doxx you—and share the information for financial gain, presumably with anyone willing to pay for it. This could include not only pharmaceutical companies but health, life and disability insurance companies which would raise your rates or deny you coverage outright accordingly. Even more concerning—the data could be sold to clearinghouses who could in turn sell to persons with criminal intent like identity theft or worse.

Ironically, it is the government that is interested in our privacy at this point and free enterprise that builds its empire contingent on our willing surrender of that privacy. HIPAA still protects us to some degree (see my previous article on state health care data clearinghouses for an eye-opener). At this point, the government only takes DNA samples from criminals. Police departments are now solving cold-cases using data from 23andMe to identify relatives via perpetrators’ DNA samples and thus identify the perpetrators. This is wonderful, but the logical next step would be to require that everyone provide not only a fingerprint but a DNA sample for a national database when filing for a Social Security card or at the next routine blood draw in the name of preventing fraud and crime? This has not come to pass—yet—it would be hard to pass such an invasive law or enact a regulation when there is an argument to be made about unreasonable search and seizure. But perhaps we need a different kind of law.! Europeans have already seen the harm in databases which can be used or cross-referenced to identify individuals. The General Data Protection Regulation took effect on May 25, 2018 and institutes high fines for failure to ask permission from consumers to collect any sort of data, disclose promptly what data will be used for and report data breaches expediently. This applies to US companies doing business in the EU as well. The history of strict data protection regulations in Europe stems from the most horrible data abuses—those of Nazi Germany which systematically collected and used personal data (such as synagogue rosters, etc) to execute a genocide of Jews and Gypsies and the wholesale slaughter of millions of others.

A national database is inadvertently being formed by for-profit entities via data donated by trusting people who may realize too late what they are giving up in terms of privacy and safety. At this point, I can only say: beware of vampires. Vampires can only enter your home if you invite them in; they can only bite you if you allow yourself to be hypnotized and offer them your neck. And like vampires, for-profit enterprises find your blood—and your saliva—essential for their survival.