Millions of Americans are using home DNA testing kits to discover their ancestry or uncover their risk of developing certain diseases. Unbeknownst to them, testing companies are selling or giving away the personal genetic information gleaned from these kits.
This information, though theoretically anonymous, can easily be traced back to specific individuals. In the wrong hands, it could be used to discriminate against or even persecute law-abiding citizens. Patients deserve stronger protections to prevent such abuse.
Genetic testing companies bury disclosures about data sharing in their user agreement forms.
Invitae is a particularly egregious offender. The firm’s consent form promises patients that their sensitive genetic information “will NOT be used in FOR PROFIT research.” But the form conveniently fails to mention that Invitae donates the data to the ClinVar public database — where it and other companies can use the information to profit.
Similarly, home testing company 23andMe has made lucrative deals with more than ten pharmaceutical manufacturers. AncestryDNA shares the genetic information of over 1 million patients with biotech firms.
Companies say they strip genetic test results of personally identifiable information before they share it. Indeed, they’re required to do so by the 1996 Health Insurance Portability and Accountability Act. People’s names, addresses, and other identifying details cannot be included in the shared files. Sounds good, but it doesn’t work like that.
The scrubbed files still aren’t anonymous — not by a long shot. With today’s technology, tracing a genetic sample back to a specific patient takes little more than some Google searching. A scientist at MIT recently took five randomly selected genetic samples and identified the donors in just a few hours. He even identified nearly 50 of their family members.
Employers and insurance companies could use this power for nefarious purposes. If an employer knew a job applicant had a health condition that would make him likely to miss work, would the firm extend an offer? In a post-Affordable Care Act world, would insurance companies sell a policy to someone at high risk of cancer?
Federal laws have attempted — and failed — to address such hidden corporate discrimination. Under the Genetic Information Nondiscrimination Act of 2009, employers and health insurance providers are not allowed to discriminate against people based on their genetic information unless it happens to already be part of their electronic medical records.
GINA is riddled with loopholes. It doesn’t cover disability or life insurance, or protect people serving in the military. It also doesn’t apply to small businesses.
Even these feeble protections are under assault. The Preserving Employee Wellness Programs Act, a proposed bill under consideration in Congress, would allow employers to penalize workers and their families who don’t submit to genetic tests. The American Health Care Act would eliminate an ACA provision that restricts insurance companies from denying people coverage because of conditions revealed by genetic tests.
The government could easily abuse genetic information too.
In 2014, Idaho policemen revisited a murder case from 1996, trying to find a match for a DNA sample from the crime scene. Having found no matches in the criminal records, they accessed the public Sorenson Database and found possible familial matches. They didn’t even need to provide a warrant until they narrowed their search down to one suspect. Jails also now collect genetic data from people who are merely accused — not convicted — of crimes.
In this case, the cops thought they had engaged in genetic snooping for a noble purpose. But is it so unrealistic to think the government could use this power in unscrupulous ways?
For a solution, policy makers could look to Europe. The EU’s new General Data Projection Regulation ensures individuals have the right to control personal information and imposes severe penalties on corporations that violate patients’ privacy.
Our genetic code is a treasure trove of identifiable personal information. When testing companies make it readily available to outsiders without patients’ knowledge or meaningful informed consent, they expose them to a host of threats. To prevent rampant corporate discrimination — or truly dystopian government persecution — patients need far stronger protections for their genetic information.
Deborah C. Peel, MD, is founder and president of Patient Privacy Rights, a non-profit human and civil rights organization.