Understanding Genetic Data Privacy Issues

Before working in cybersecurity, I worked in the genetic science and pharmaceutical space, focusing on regulatory compliance. I’ve always been deeply unsettled by the fact that you can’t de-identify genetic data--a person’s genome is their identity. Even when you remove all of what we consider PII, you’re still left with a blueprint that uniquely maps back to an individual—and by extension, their relatives. That is not something that can ever be fully anonymized, obfuscated, or “tokenized away." When a company like 23andMe enters bankruptcy proceedings, it’s not just assets and liabilities being handed over—its millions of irreplaceable, irrevocable data sets. Genetic data, lineage, health markers. In any other vertical, this is a non-issue, but in genomics, once it’s out there: it’s out there forever. The breach last year where user profile data was scraped via credential stuffing was already a reminder of the fragility of security controls in consumer genomics. Bankruptcy, however, introduces an entirely new level of concern surrounding data stewardship risk. When ownership shifts, so do priorities. Regulatory guardrails in the U.S. are extremely thin when it comes to secondary use, sale, or transfer of genetic data post-acquisition or during liquidation. Consumers are being advised to delete their data, but even then, what confidence do we have that full deletion is possible? This data has already been used for thousands (if not more) of derivative datasets. There is a fundamental misalignment between the permanence of genetic material and the transience of corporate entities in the United States. I hope this scramble serves as a lesson learned moving forward in biotech. We need sector-specific regulation (I know, I’m always saying this) that treats genetic data as categorically different from PII or PHI. We also need enforceable rules around data portability, retention, deletion, and sale. We need to treat any company handling genetic data not just as a tech company, but as a biological data custodian—held to standards closer to those we expect of healthcare institutions. #23andMe #dataprivacy #security #genetics #TEN18 TEN18 by Exabeam

Mass Surveillance Concerns Rise Over Technology That Can Extract DNA from Air New advancements in environmental DNA (eDNA) technology have sparked concerns over mass genetic surveillance, as scientists can now collect and identify human DNA simply by sampling air, soil, or water. The Royal Society warns that without regulation, this groundbreaking but invasive technology could be misused for unethical or malicious purposes. How eDNA Technology Works eDNA consists of genetic fragments shed from skin, saliva, hair, and bodily fluids that humans and animals leave behind as they move through their environment. Scientists have demonstrated that: • Airborne DNA samples can be collected and analyzed to identify individuals. • eDNA can help track endangered species, investigate crimes, and detect biosecurity threats such as biological weapons or pandemics. • The technique could even be used in forensic investigations, potentially revolutionizing criminal detection. Privacy and Surveillance Fears Despite its potential benefits, the Royal Society report highlights significant ethical and legal concerns: • Covert DNA collection could allow for genetic surveillance without consent, raising human rights issues. • Governments or corporations could harvest and store DNA data for tracking individuals, leading to potential abuses of power. • Companies could exploit genetic data commercially, leading to privacy violations and genetic profiling without awareness. Legal Grey Areas and the Need for Regulation Experts warn that current laws do not explicitly regulate eDNA collection, making it a legal grey area where: • People could be unknowingly monitored simply by existing in public spaces. • Law enforcement could use the technology for DNA dragnet searches, raising concerns about genetic discrimination and false identifications. • Nations could secretly collect foreign genetic data, potentially for biological research, espionage, or even targeted bioweapon development. What Comes Next? The Royal Society calls for clear global regulations to protect individuals from unauthorized DNA collection while allowing ethical scientific and security applications. As eDNA technology advances, balancing privacy, security, and innovation will be critical in preventing a future where genetic surveillance becomes an everyday reality.

𝗬𝗼𝘂𝗿 𝗗𝗡𝗔 𝗶𝘀 𝗮 𝗺𝗮𝗽 𝗼𝗳 𝘆𝗼𝘂𝗿 𝗲𝗻𝘁𝗶𝗿𝗲 𝗹𝗶𝗳𝗲—𝗯𝗲 𝗰𝗮𝗿𝗲𝗳𝘂𝗹 𝘄𝗵𝗼 𝘀𝗲𝗲𝘀 𝗶𝘁. Genetic testing kits and ancestry services are fascinating innovations. They promise to uncover your origins, predispositions, and even health risks. But what happens to your DNA after the results are delivered? 𝗧𝗵𝗲 𝗱𝗮𝗻𝗴𝗲𝗿𝗹𝗶𝗲𝘀 𝗶𝗻 𝘄𝗵𝗮𝘁’𝘀 𝗻𝗼𝘁 𝘀𝗮𝗶𝗱:   💻 𝗗𝗮𝘁𝗮 𝗦𝘁𝗼𝗿𝗮𝗴𝗲: Many companies store your genetic data indefinitely, leaving it vulnerable to misuse or breaches (see case 23andme). 🚨 𝗣𝗿𝗶𝘃𝗮𝗰𝘆 𝗥𝗶𝘀𝗸𝘀: DNA data can be sold to third parties or used for purposes beyond your consent—like research, marketing, or even insurance profiling. 🧬 𝗜𝗿𝗿𝗲𝘃𝗲𝗿𝘀𝗶𝗯𝗹𝗲 𝗖𝗵𝗮𝗶𝗻: Unlike a password, you can’t change your DNA. Once shared, it’s out there forever. As a doctor with a background in genetics and tissue engineering, I see the immense value in #genetic #research, but it must come with robust ethical safeguards. Your DNA isn’t just personal—it’s your identity. Sharing it without fully understanding the implications can have lasting consequences. 𝗛𝗲𝗿𝗲’𝘀 𝗺𝘆 𝗮𝗱𝘃𝗶𝗰𝗲:   📑 𝗥𝗲𝗮𝗱 𝘁𝗵𝗲 𝗙𝗶𝗻𝗲 𝗣𝗿𝗶𝗻𝘁: Know exactly how your data will be used and stored before submitting a sample.   💡 𝗔𝘀𝗸 𝗤𝘂𝗲𝘀𝘁𝗶𝗼𝗻𝘀: Choose companies with transparent policies and robust data protection measures.   🤔 𝗧𝗵𝗶𝗻𝗸 𝗧𝘄𝗶𝗰𝗲: Consider whether the benefits outweigh the risks for what you hope to gain. 𝗛𝗼𝘄 𝗱𝗼 𝘆𝗼𝘂 𝗳𝗲𝗲𝗹 𝗮𝗯𝗼𝘂𝘁 𝘁𝗵𝗲 𝗴𝗿𝗼𝘄𝗶𝗻𝗴 𝘁𝗿𝗲𝗻𝗱 𝗼𝗳 𝗮𝗻𝗰𝗲𝘀𝘁𝗿𝘆 𝗮𝗻𝗱 𝗴𝗲𝗻𝗲𝘁𝗶𝗰 𝘁𝗲𝘀𝘁𝗶𝗻𝗴? #Genetics #PrivacyMatters #DataSecurity #HealthInnovation #DigitalEthics #AI #LLM

What Happens If Our Genomic Data Gets Hacked? We worry about passwords being stolen. We worry about bank data being leaked. But what about the most personal data we carry… our genome? Genomic data is not just another dataset. It contains information about our disease risks, biological identity, and even our families. And unlike passwords, it cannot be changed. If genomic data is compromised, the consequences go far beyond a typical cyberattack: • Lifelong loss of biological privacy • Genetic discrimination in insurance and employment • Exposure of family members’ health risks • Manipulation of research and clinical data • Identity exploitation at a biological level In more advanced scenarios, such data could even be misused to study population-level vulnerabilities. This is no longer just a cybersecurity issue. It is a cyberbiosecurity challenge. As healthcare moves toward AI, precision medicine, and data-driven systems, we must ask ourselves: Are we building innovation… without building security? From my perspective in digital health and AI-driven systems, protecting genomic data is not optional. It is foundational. Because if genomic data is breached, it is not just a data leak. It is a lifelong biological exposure. Are we prepared to protect the most sensitive data we will ever generate? #CyberBiosecurity #Genomics #AIinHealthcare #DigitalHealth #HealthSecurity #PrecisionMedicine #DataProtection #HealthcareInnovation #AUK #Keytaab

News just broke today that 23andMe has filed for bankruptcy. While the headlines focus on the financial and business implications, there’s a bigger question looming for the millions of users (me included) who’ve handed over their most personal data—their DNA. What happens to all that genetic information in the event of bankruptcy, acquisition, or restructuring? Unlike a credit card number, your DNA is permanent. It can’t be changed or reissued. That makes the stakes much higher when it comes to data privacy, ownership, and consent. As we move further into the era of personalized medicine and bio-data-driven innovation, events like this are a wake-up call. Companies will come and go, but your genetic data—and who controls it—could outlive them all. We need guardrails on how sensitive data is handled when companies falter. Curious to hear others’ thoughts—should user DNA data be treated differently in bankruptcy court? #DataPrivacy #23andMe #Genomics #TechEthics #Bioethics #DataSecurity

In March 2024, 15 million Americans lost control of their DNA. Here's how blockchain could save everyone's genetic privacy: 23andMe filed for bankruptcy, jeopardizing the genetic data of millions. Sei Foundation proposed a radical solution: put all genetic data on blockchain and return ownership to users. Your DNA contains everything about you - from health predispositions to ancestry. In the wrong hands, this sensitive information could enable targeted discrimination or surveillance. The Sei Foundation's plan is explicit: • Return data ownership to users • Treat genetic info as a matter of national security • Enable encrypted, confidential transfers • Deploy genetic information on blockchain State laws already give users control over their DNA data. New York and California AGs urged users to request data deletion and DNA sample destruction. But bankruptcy creates uncertainty about data protection. This exposes a fundamental flaw in our data ownership model: Traditional companies can't guarantee data protection when they go bankrupt. Your most sensitive information becomes just another corporate asset to be sold. Imagine having complete control over your genetic data: • You decide who accesses it • You can revoke access anytime • Transparent tracking of all data usage • Your data can't be sold without permission The implications extend far beyond genetics. The 23andMe situation demonstrates why blockchain matters more than ever. The future of data privacy won't be built on trust in companies. It will be built on systems where trust isn't needed. Where users have direct control over their most sensitive information. That's the real revolution blockchain enables.

What happens when pharma buys your DNA? Regeneron just acquired 23andMe out of bankruptcy for $256M. On paper, it’s a strategic play: 15 million users’ genetic data + a pharma powerhouse with blockbuster drugs. But there’s a catch. This isn’t just a distressed asset sale—it’s a litmus test for trust in data-driven healthcare. 23andMe promised consumers ancestry, health insights, and a voice in research. Now, those same users face uncertainty over how their data might fuel drug pipelines—without fresh consent. Millions of people spat into a tube to learn about their ancestry. Few imagined their DNA would one day sit in a pharmaceutical vault. Here’s what we’re watching at The Palindromic: i. Will Regeneron comply transparently with 23andMe’s original privacy policies? ii. Can pharma innovate responsibly without triggering a trust crisis? iii. And who will lead the creation of next-gen data governance models? New models are needed, and this is the type of work we drive with industry partners. Expect a shift toward patient-centric consent frameworks, modular data use rights, and AI-readiness assessments for acquired datasets. Proprietary genetic datasets can turbocharge target discovery and trial stratification. For GTM leaders in pharma and medtech, this moment is a reminder: Data isn’t oil. It’s identity. Handle with care. #PharmaGTM #PrecisionMedicine #HealthData #CommercialExcellence #DigitalEthics #23andMe #Regeneron

🚨 23andMe’s Data Dilemma Deepens: Bankruptcy Court Receives Damning Privacy Ombudsman Report 🚨 This week, one of the most significant biometric privacy cases in the US just took a major turn. 🧬 On June 11, the court-appointed Consumer Privacy Ombudsman (CPO) issued a 211-page report in the 23andMe bankruptcy case. Its taken me a while to digest the report (so you don't have to), but the findings are stark. 📌 Key Takeaways from the Report: ▶️ The CPO **cannot** conclude that the proposed sale of consumer genetic data complies with 23andMe’s own privacy policies — especially for accounts created before June 2022, when language about bankruptcy was added to its privacy statement (§ I.d, p. 7). ▶️Nor can the CPO conclude that the sale complies with applicable non-bankruptcy laws, including state genetic privacy statutes and UDAP laws (§ I.d, p. 7–8). ▶️In his words, this may be “one of the most—if not the most—sensitive collections of data about identified people ever sought to be discharged in bankruptcy” (§ II.c, p. 19). 👥 Consent & Posthumous Data Use: The report blasts 23andMe’s lack of meaningful posthumous data policies. For example: Millions of accounts are dormant. Some are likely deceased. Yet the company’s consents don't explain what happens after death (§ I.f, p. 21). Worse, 23andMe may continue to store and use data indefinitely unless deletion is affirmatively requested. 🔐 CPO’s Recommended Safeguards: Affirmative opt-in consent before any data transfer (§ I.e, p. 8). Clear deletion rights for heirs of deceased users (§ I.e, p. 9). A binding “duty of data loyalty” on the buyer to prohibit exploitative uses (§ I.e, p. 9). Strong limitations on law enforcement access to genetic data (§ I.e, p. 11). 🏁 Next Steps: A final bidder (either Regeneron or TTAM) is expected to be chosen imminently. The bankruptcy court must now weigh these findings in approving any sale of data. 📎 For additional context, check out my earlier LinkedIn posts covering 23andMe and privacy ombudsman: https://lnkd.in/gyeKfNAT https://lnkd.in/gFRu-Ywc ⚖️ This case could set critical precedent at the intersection of privacy, biotech, and bankruptcy. The privacy community should be watching closely. #GeneticData #PrivacyLaw #AIethics #Bankruptcy #23andMe #DataGovernance #Consent #ConsumerProtection #LinkedInLaw

The integration of genetic testing into primary care is influencing healthcare practices, yet little is known about consumers’ knowledge, attitudes, and experiences with genetic testing services or the practitioners who provide them. This Nature Portfolio EJHG systematic review synthesizes peer-reviewed studies on consumers’ perspectives regarding the role of primary health professionals in delivering genomic medicine in primary care settings. The findings reflect that consumer views on genetic tests vary by context, but with several recurring themes. Many consumers express concerns about the cost of genetic tests, questioning whether their benefits justify the expense, especially given the high costs that can hinder broader adoption in some countries. The findings also show that privacy and data security are also significant issues in the primary care setting. Consumers reported worrying about access to their genetic information and the potential misuse of data by third parties, such as insurance companies or employers, leading to fears of discrimination. Uniquely to the primary care context, the study found that the trust established in the doctor-patient relationship could facilitate consumers’ openness to genetic testing, as they are more likely to perceive it as recommended by a trusted physician offering personalized guidance. https://lnkd.in/eUTNzGEw