Could Genetic Testing Companies Violate Your Privacy?
DNA collection kit for at-home genetic testing.
Credit: Sarah Weldon/Shutterstock.com

Democratic Sen. Chuck Schumer is calling on the Federal Trade Commission to investigate the privacy policies of at-home DNA testing companies.

These companies, which include 23andMe, AncestryDNA and MyHeritageDNA, promise consumers the opportunity to find out more about their ancestry and genetic health risks with a simple cheek swab and mail-in kit. However, the security and privacy of the resulting gene sequences is not always clear, and there are few laws regulating companies' behavior, say medical ethics experts, who praised Schumer's efforts.

Genetic testing firms sell the results of their tests to pharmacological companies and third-party laboratories, said Peter Pitts, the president of the Center for Medicine in the Public Interest. The data is stripped of names or other identifying information, but truly anonymizing DNA is a herculean task — researchers have found that comparing anonymous DNA databases with public records could reveal the names and addresses of the people behind the gene sequences, Pitts said.

Some of this information sharing can have benefits, Pitts told Live Science, such as the development of personalized medicine. But with few safeguards, the pitfalls are looming.

"It all leads to good places for a patient if it's used appropriately, but when there's opportunity for misuse or for monetary gain, criminals are very fast on the uptake," he said. [Understanding the 10 Most Destructive Human Behaviors]

At-home genetic testing companies have varying privacy policies. Typically, these policies require consent by customers to share personally identifiable data, but often allow the sale or sharing of anonymized DNA information, which has been stripped of names or other identifying information, or aggregate DNA information, which includes statistics like the percent of an ethnic group tested that has a particular disease risk.

Both types of information-sharing can be fraught, said Art Caplan, a bioethicist at the New York University School of Medicine.

Anonymized DNA is not necessarily so anonymous, given that genes are, in essence, the most identifying information of all. A 2013 study published in the journal Science used two public genealogy databases and found that researchers could correctly uncover people's surnames from their genetic data alone between 12 and 18 percent of the time. If the researchers knew the customer's surname as well as their year of birth and state of residency, they could comb the databases and narrow down the possible number of genetic profiles that might be theirs to as few as a dozen.

Revealing one target's identity in these genealogical databases also pinpointed their genetic relatives, another problem with genetic data: Your gene sequences are not yours alone. Exposure of one person's genetic information could potentially expose information about shared familial risks, Caplan said. [7 Diseases You Can Learn About from a Genetic Test

"It could also start to impact your ethnic group," he told Live Science.

Genetic testing companies have very small databases of ethnic groups who are present in small numbers in the United States, Caplan said. The accuracy of the tests for these groups, which include Korean-Americans, Vietnamese-Americans and Filipino-Americans, among others, may be skewed, Caplan said. Meanwhile, if one group is tested in detail, it may make it look like their risk for a particular disease is high, simply because the data exists for that ethnicity and not for others. This is the case for Ashkenazi Jewish women, Caplan said, who have been shown to be at the greatest risk for two types of breast cancer genes known as BRCA 1 and BRCA 2. But that's partly because Ashkenazi DNA has been investigated in detail, thanks to their unique ancestry, he said. It's possible other ethnic groups have a higher risk and simply haven't been tested in detail, Caplan said. In that sense, aggregate data collected by companies like 23andMe has the potential to mislead and even create a sort of "genetic stereotype," Caplan said. 

While some of these issues are inherent in the complexities of genetic testing, others arise simply because there are not many rules constraining how at-home genetics testing companies work. Companies generally promise to keep data secure in their privacy statements, but when they sell information to third parties, Pitts said, there is no way for consumers to know who those third parties are or what their level of security might be. Similarly, Caplan said, if a company itself is sold, its privacy policies can be completely revamped.

"There's no binding thing that says when I send my DNA to 23andMe or agreed to give it to Columbia Medical School, well, forever it's anonymized," he said.

The consequences of genetic information getting into the wrong hands could be dire, both Caplan and Pitts said. There is a law, the Genetic Information Nondiscrimination Act of 2008 (GINA), that aims to prevent insurance companies from denying coverage to healthy people based on genetic predispositions and to prevent employers from using genetic information to make decisions about hiring, firing or promotions.

However, there are loopholes in GINA, Caplan said. It doesn't apply to companies with fewer than 15 employees, or to schools. Nor does it apply to life or disability insurance. A recent bill introduced in the U.S. House of Representatives, House Bill 1313, would reverse some of GINA's protections in the workplace by allowing workplace wellness programs to restrict rewards to employees who refused to provide genetic data.  

"If we don't like racial profiling in the airport, we're going to hate genetic profiling in the workplace," Pitts said.

Specific rules that could help, Pitts said, include stiff penalties, even jail time, for the hacking or theft of genetic information. Stiff penalties should also be enacted for anyone who tries to submit a DNA test without the person's consent, Caplan said. Meanwhile, the conditions consumers agree to when giving up their data should be guaranteed in perpetuity, even if the data or company changes hands, he said.

Genetic information isn't going anywhere, Pitts said, so it's time for the law to catch up with the technology. "It simply means thoughtful regulation and thoughtful consumer education," he said.

Original article on Live Science