In light of the growing popularity of direct-to-consumer (DTC) genetic test kits—such as 23andMe, Ancestry, and MyHeritage—the public is advised to closely read the company’s privacy policies and consent forms if they wish to protect their genetic information.
Previously conducted only by healthcare providers, DTC genetic testing has grown in the last decade along with consumer interest in acquiring information about their DNA for ancestry mapping and to determine their risk of various diseases and disorders. In 2017, major DTC genetic testing companies acquired genetic information on nearly 5 million individuals through DNA samples.
In October 2017, the account details of more than 92 million users of MyHeritage were exposed as a result of a security breach—1.4 million users had submitted DNA for genetic health testing. In November 2015, a breach of Ancestry.com exposed 55,000 passwords, email addresses, and usernames used to access the genealogy site.
Once a genetic testing company has an individual’s data, it can sell that information to third parties for research, marketing, and drug development. Moreover, DNA information shared via open-source websites such as GEDmatch can be accessed by law enforcement as was the case in 2018 when investigators in California used genetic data available online and matched it with crime scene DNA to identify the Golden State Killer.
The Genetic Information Nondiscrimination Act (GINA)—the only federal law that applies to DTC genetic testing—protects Americans from genetic discrimination by employers or health insurance companies. GINA does not apply to life or disability insurance, however. Results from DTC genetic testing is not covered under the Health Insurance Portability and Accountability Act (HIPAA), which provides privacy protection for other medical data. To find more information regarding your state’s laws, visit the National Human Genome Research Institute.
Warning signs of possible privacy violations:
Information about your profile is available to others online or is used to populate other public databases
Websites that allow users to send personal messages to one another
Information that is shared with law enforcement or regulatory authorities without consumer knowledge or explicit approval
No option available to delete your account and associated data
Recommended privacy settings:
Only use services that allow you to opt out of data sharing activity
Enable two-factor authentication for your account, if available
Select the most restrictive security options initially, make adjustments after you become more familiar with how the site operates
Before submitting DNA for testing, be sure to understand how the company plans to use and protect your data