Some 6.9 million 23andMe clients had their knowledge compromised after an nameless hacker accessed user profiles and posted them on the market on the web earlier this yr, the corporate stated on Monday.
The compromised knowledge included customers’ ancestry data in addition to, for some customers, health-related information primarily based on their genetic profiles, the corporate stated in an e-mail.
Privateness advocates have lengthy warned that sharing DNA with testing firms like 23andMe and Ancestry makes customers susceptible to the publicity of delicate genetic data that may reveal well being dangers of people and those that are associated to them.
Learn Extra: DNA Testing Kits Are on Everyone’s Holiday List. 5 Things to Know If You Get One
Within the case of the 23andMe breach, the hacker solely instantly accessed about 14,000 of 23andMe’s 14 million clients, or 0.1%. However on 23andMe, many customers select to share data with individuals they’re genetically associated to — which might embrace distant cousins they’ve by no means met, along with direct relations — with a purpose to be taught extra about their very own genetics and construct out their household bushes. So by way of these 14,000 accounts, the hacker was capable of entry details about tens of millions extra. A a lot smaller subset of consumers had well being knowledge accessed.
Customers can select whether or not to share totally different varieties of information, together with title, location, ancestry and well being data corresponding to genetic predisposition to circumstances corresponding to bronchial asthma, anxiousness, high-blood stress and macular degeneration.
The publicity of such data may have regarding ramifications. Within the U.S., well being data is often protected by what’s often called the Well being Insurance coverage Portability and Accountability Act, or HIPAA. However such protections solely apply to health-care suppliers.
The 2008 Genetic Data Nondiscrimination Act (GINA), protects towards discrimination in employment and medical insurance ought to data from a DNA take a look at make it out into the wild. This goals to guard people from being denied a job or insurance coverage protection if, for instance, a DNA take a look at reveals they’re vulnerable to ultimately creating a debilitating situation.
However the regulation has loopholes; each life insurers and incapacity insurers, for instance, are free to disclaim individuals insurance policies primarily based on their genetic data.
There have been different high-profile hacks of DNA testing firms. However 23andMe is the primary breach of a significant firm by which the publicity of well being data was publicly disclosed. (The Federal Commerce Fee just lately ordered a smaller agency, Vitagene, to strengthen protections after well being data was exposed.)
The hacker appeared to make use of what’s often called credential stuffing to entry buyer accounts, logging into particular person 23andMe accounts by utilizing passwords that had been recycled and used for different web sites that had been beforehand hacked. The corporate stated there was no proof of a breach inside its personal methods.
Because the hack, the corporate announced that it’ll require two-factor authentication with a purpose to shield towards credential-stuffing assaults on the location. It has stated it expects to incur $1 million to $2 million in prices associated to the breach.
