Privacy Risks of Genetic Testing Kits

Updated: Mar 11, 2019

In light of the growing popularity of direct-to-consumer (DTC) genetic test kits—such as 23andMe, Ancestry, and MyHeritage—the public is advised to closely read the company’s privacy policies and consent forms if they wish to protect their genetic information.

Previously conducted only by healthcare providers, DTC genetic testing has grown in the last decade along with consumer interest in acquiring information about their DNA for ancestry mapping and to determine their risk of various diseases and disorders. In 2017, major DTC genetic testing companies acquired genetic information on nearly 5 million individuals through DNA samples.

  • In October 2017, the account details of more than 92 million users of MyHeritage were exposed as a result of a security breach—1.4 million users had submitted DNA for genetic health testing. In November 2015, a breach of exposed 55,000 passwords, email addresses, and usernames used to access the genealogy site.

  • Once a genetic testing company has an individual’s data, it can sell that information to third parties for research, marketing, and drug development. Moreover, DNA information shared via open-source websites such as GEDmatch can be accessed by law enforcement as was the case in 2018 when investigators in California used genetic data available online and matched it with crime scene DNA to identify the Golden State Killer.

  • The Genetic Information Nondiscrimination Act (GINA)—the only federal law that applies to DTC genetic testing—protects Americans from genetic discrimination by employers or health insurance companies. GINA does not apply to life or disability insurance, however. Results from DTC genetic testing is not covered under the Health Insurance Portability and Accountability Act (HIPAA), which provides privacy protection for other medical data. To find more information regarding your state’s laws, visit the National Human Genome Research Institute.

Privacy Policy Safety

Reading the privacy policy can protect your genetic information from falling into the wrong hands. Below are the privacy policy settings and warning signs to consider if you plan to use a DNA testing service, according to the Federal Trade Commission.

Warning signs of possible privacy violations:

  • Information about your profile is available to others online or is used to populate other public databases

  • Websites that allow users to send personal messages to one another

  • Information that is shared with law enforcement or regulatory authorities without consumer knowledge or explicit approval

  • No option available to delete your account and associated data

Recommended privacy settings:

  • Only use services that allow you to opt out of data sharing activity

  • Enable two-factor authentication for your account, if available

  • Select the most restrictive security options initially, make adjustments after you become more familiar with how the site operates

  • Before submitting DNA for testing, be sure to understand how the company plans to use and protect your data

Download PDF

The NTIC is governed by a privacy, civil rights, and civil liberties protection policy to promote conduct that complies with applicable federal, state, and local laws. The NTIC does not seek or retain any information about individuals or organizations solely on the basis of their religious, political or social views or activities; their participation in a particular noncriminal organization or lawful event; or their race, ethnicities, citizenships, places of origin, ages, disabilities, genders, or sexual orientations. No information is gathered or collected by the NTIC in violation of federal or state laws or regulations.