Hacked customer accounts are a bane of modern existence. LivingSocial might have been the latest major hack victim, but by now, most people with any kind of online life know what to do when notified by a vendor, bank, or e-commerce site that “unauthorized access to some customer data” has occurred: reset your passwords, check your bank accounts, monitor your credit report, perhaps freeze your credit or cancel your credit cards.
But what if hackers access your DNA? There’s no resetting that code.
As more individuals jump on the genome sequencing bandwagon (23andMe alone aims for 1 million customers by year’s end) the day of unauthorized DNA access is coming. University of California, Berkeley, computational biologist Steven Brenner writes in today’s issue of Nature: “It seems inevitable that there will be a major leak of genome information in the near future. Individual scientists, institutions and funders should consider now how they will react when this happens.”
Consumers might want to think about it too.
As Brenner notes, DNA sequence data are stored in secure databanks, but often “disseminated to various institutions that have inconsistent security and privacy standards.” Identifying information is stripped from such data, but Whitehead Institute researcher Yaniv Erlich showed earlier this year how elusive anonymity really is. He and colleagues revealed in Science that they were able to use free, public data online to match donors’ names and even home addresses to their anonymized DNA.
In practice, just as your health records are only as private as the HIPPA-respecting staffers in your doctor’s office, Brenner says DNA “data protection often comes down to individual scientists.”
Under the headline “Be prepared for the big genome leak,” Brenner suggests that a breach would be the doing of an “idealistic and technically literate researcher” …”in the name of open science.” But there’s no reason to think hackers with more nefarious goals, or no goals at all, couldn’t beat the idealists to the punch.
To be sure, some propose genomic information is best made public and freely available anyway. The nonprofit Personal Genome Project recruits “volunteers who are willing to share their genome sequence and many types of personal information with the research community and the general public, so that together we will be better able to advance our understanding of genetic and environmental contributions to human traits.” But as the project leaders point out, “the public nature of the PGP means that this study is not suitable for everyone.”
Since guaranteeing the security of genomic data seems as unachievable as preventing theft of social security numbers, Brenner’s larger concern is that “a genome leak might lead to a backlash” that threatens medical progress.
He urges funders to “develop rapid mechanisms for notifying study participants, governments and the media when breaches occur and provide informed guidance about scope and probable consequences for those affected. This would require recontacting research participants to warn those whose data were leaked and, implicitly, to calm others whose data remain secure.”
Sounds a lot like the procedure LivingSocial followed in April to notify 50 million customers its security had been compromised.