Health privacy laws and potential risks to patients after 23andMe data breach

Earlier this month, an unknown party hacked into, leaked, and sold a subset of 23andMe’s customers’ genetic information, according to an article published by Futurism. HIPAA Journal says that the news initially broke when an X user, @DarkWebInformer, tweeted that the data was leaked on a dark web forum.^[][]

Wired also says that the hackers originally posted on the platform BreachForums, saying that the data—which included “display name, sex, birth year, and some details about genetic ancestry results”—could be bought at a price per account.^[] 23andMe states in an October 9 blog post that the hackers only gained access to certain accounts—specifically, those that had opted into the DNA Relatives feature, which allows users to find and connect with their genetic relatives.^[][]

HIPAA Journal states that it “is unclear whether these individuals were specifically targeted. The data being offered for sale could be part of a larger dataset that has been sorted and packaged, with the individuals in each of these data sets having been identified as having genetic traits from these populations.”^[]

However, Futurism reports that the hackers teased the fact that some of the users with Ashkenazi Jewish heritage were “notable public figures.”^[] Earlier this week, TechCrunch reported that “a hacker who goes by Golem”  leaked four million genetic profiles belonging to users they say are the “‘wealthiest people living in the U.S. and Western Europe.’” TechCrunch also noted that a 23andMe spokesperson told the publication that the company is “‘reviewing the data to determine if it is legitimate.’”^[]

How do these hacks happen—and what do they mean?

In its October 9 blog post, 23andMe wrote, “[W]e believe threat actors were able to access certain accounts in instances where users recycled login credentials—that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.” The company also says that it is currently working with third-party forensic experts and federal law enforcement officials. Additionally, it noted that affected customers were being updated on the investigation.^[]

Brett Callow, a threat analyst at security firm Emsisoft, told Wired, “‘When data is shared relating to ethnic, national, political or other groups, sometimes it's because those groups have been specifically targeted, but sometimes it's because the person sharing the data thinks it'll make reputation-boosting headlines.”^[] “‘The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public,’” Callow added.

But is it a violation of the Health Insurance Portability and Accountability Act (HIPAA)? Not exactly.

“While the information obtained from users’ accounts would be classed as protected health information (PHI) if it was collected by a HIPAA-covered entity, companies that offer direct-to-consumer genetic testing services are generally not HIPAA-covered entities and are therefore not subject to the HIPAA Rules,” writes HIPAA Journal.^[]

23andMe is not alone. HIPAA “does not apply to consumer curation of health data or any associated protections related to privacy, security, or minimizing access,” according to the Hastings Center, a bioethics research institute based in Philipstown, NY. Since 23andMe—and other sites like it, such as Ancestry.com—are not healthcare providers, they aren’t covered by HIPAA.^{[] []}

The issue isn’t so cut-and-dried, however, says Jodi Daniels,  IANS Research Faculty Member and Founder and CEO of Red Clover Advisors, a data privacy consultancy. “23andMe are covered, however, by newer state privacy laws—like in California, Colorado, Connecticut, and more—that treat health-related data as sensitive data,” Daniels says.

In fact, according to 23andMe, the company is subject to certain states’ data-protecting laws, including subject to the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), the Utah Consumer Privacy Act (UCPA), the Connecticut Data Privacy Act (CTDPA), and the Virginia Consumer Data Protection Act (VCDPA).^[]

“The newest health privacy law is in Washington State, and is called the My Health My Data Act. This type of data would be covered in those laws. Many people don’t know this kind of data is not protected…[but] these laws have a category called sensitive data and sensitive data includes health information,” Daniels adds.

According to the Washington State Office of the Attorney General, the My Health My Data Act is “the first privacy-focused law in the country to protect personal health data that falls outside the ambit of [HIPAA]. The Act was developed to protect a consumer’s sensitive health data from being collected and shared without that consumer’s consent.” Under Section 9 of the act, it’s unlawful for any entity to sell or offer to sell a consumer’s health data without obtaining their explicit permission first.^[]

Daniels also cites CTDPA as an example of other similar laws, saying that it defines sensitive data as any personal data that reveals a consumer’s racial or ethnic background, their religious beliefs, health or diagnoses, the processing of genetic data, and other elements.

“If you are a customer of 23andMe, it is crucial to take measures to protect your data. This includes changing your password and enabling two-factor authentication for added security,” Harrison suggests. “ Additionally, it would be wise to monitor your accounts for any [abnormal] activities.” HIPAA Journal also notes that data breaches like these often trigger class action lawsuits.^[]