News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel

News, Analysis, Trends, Management Innovations for
Clinical Laboratories and Pathology Groups

Hosted by Robert Michel
Sign In

Data Theft at 23andMe Leaks Genetic and Personal Information for Thousands, Targets Ashkenazi Jews and Chinese

Federal class action lawsuit looms as genetics company searches for what went wrong; a reminder to clinical laboratories of the importance of protecting patient information

Several years ago, security experts warned that biotechnology and genomics company 23andMe, along with other similar genetics companies, would be attacked by hackers. Now those predictions appear to have come true, and it should be a cautionary tale for clinical laboratories. In an October 6 blog post, the genetic testing company confirmed that private information from thousands of its customers was exposed and may be being sold on the dark web.

According to Wired, “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online forum where users can discuss internet hacking, cyberattacks, and database leaks, among other topics.

“Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” Wired reported, adding that “hundreds of thousands of users of Chinese descent” also appear to be impacted.

The leaked information included full names, dates of birth, sex, locations, photos, and both genetic and ancestry results, Bleeping Computer reported.

For its part, 23andMe acknowledges the data theft but claims “it does not see evidence that its systems have been breached,” according to Wired.

Anne Wojcicki

Anne Wojcicki (above) is the co-founder and CEO of genetics company 23andMe, which on October 24 told its customers in an email, “There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.” Clinical laboratories must work to ensure their patient data is fully secured from similar cyber theft. (Photo copyright: TechCrunch.)

23andMe Claims Data Leak Not a Security Incident

The data leaked has been confirmed by 23andMe to be legitimate. “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” a 23andMe spokesperson told Bleeping Computer.

However, according to the company, the leak does not appear to be a data security incident within the 23andMe systems. “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.

What the genetics company has determined is that compromised accounts were from users choosing the DNA Relative feature on their website as a means to find and connect to individuals related to them. Additionally, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials,” Bleeping Computer noted.

Price of Private Information

Following the 23andMe data leak, the private genetic information was quickly available online … for a price.

“On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased,” Bleeping Computer reported.

Stolen medical records are becoming hotter than credit card information, the experts say. “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, Bleeping Computer noted.

In its 2018 Global Security Report, “cybersecurity firm Trustwave pegged the black-market value of medical records at $250 each. Credit card numbers, on the other hand, sell for around $5 each on the dark web … while Social Security numbers can be purchased for as little as $1 each,” Fierce Healthcare reported.

Clinical laboratory managers and pathologists should take note of the value that the dark web places on the medical records of a patient, compared to the credit card numbers of the same individual. From this perspective, hacking a medical laboratory to steal patient health data can be much more lucrative than hacking the credit card data from a retailer.

Inevitable Federal Lawsuit

Regardless of what security measures the 23andMe site boasts, the breach quickly brought a proposed federal class action suit filed on October 9 in the US District Court for the Northern District of California. The suit, “filed by plaintiffs repressing all persons who had personal data exposed,” claims that information from Mark Zuckerberg, Elon Musk, and Sergey Brin were among the leak, Bloomberg Law reported.

“Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe,” according to court documents.

“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment,” Bloomberg Law noted. Additionally, the claim states that 23andMe “failed to provide prompt and adequate notice of the incident.”

Plaintiffs are “seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Bloomberg Law reported.

Preventing Future Data Leaks

Years of experts warning genetics companies like 23andMe that they need more strict data security have proven to be true. “This incident really highlights the risks associated with DNA databases,” Brett Callow, a threat analyst at data security firm Emsisoft, told Wired. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”

“Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping,” Wired noted.

Clinical laboratory databases are full of protected health information (PHI). Wise lab managers will work to ensure that their medical lab’s patient data is secure from today’s cyberthreats.

—Kristin Althea O’Connor

Related Information:

23andMe Blog Post: Addressing Data Security Concerns

23andMe Sued Over Hack of Genetic Data Affecting Thousands

23andMe Notifies Customers of Data Breach into Its ‘DNA Relatives’ Feature

Genetics Firm 23andMe Says User Data Stolen in Credential Stuffing Attack

23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews

Industry Voices—Forget Credit Card Numbers. Medical Records Are the Hottest Items on the Dark Web

Hacker Claims to Have Stolen Genetic Data from Millions Of 23andMe Users and Is Trying to Sell the Information Online

US District Court California Northern District (San Francisco) Civil Docket for Case #: 3:23-Cv-05147-EMC

2018 Trustwave Global Security Report

Ransomware Activity Targeting the Healthcare and Public Health Sector

23andMe Sued After Hacker Claims Massive Data Breach Impacting Ashkenazi Jews

Five Biggest Risks of Sharing Your DNA with Consumer Genetic-Testing Companies

The FTC Is Investigating DNA Firms Like 23andme and Ancestry over Privacy

Google Takes First Steps to Create World’s Largest Human Genome Database as Part of Wider Strategy to Become a Major Player in Healthcare ‘Big Data’

Google’s goal is to build a genomics database to facilitate early diagnosis and prevention of life-threatening diseases; may give pathologists a new diagnostic tool

Google (NASDAQ: GOOG) is preparing to build a human genome database that it says may become the world’s biggest. The company plans to also assemble other medical information, including clinical laboratory test data, as it pursues plans to become a player in the market for healthcare Big Data.

This work will be done by Google X Life Sciences, a new business for Google. The project is known as the Baseline Study. (more…)

J. Craig Venter Joins Race to Crack the Puzzle of Human Aging with New Company That Aims to Sequence 100,000 Human Genomes Yearly

Big Data will play major role as Venter’s team sets out to build world’s largest database of human genotypes, microbiomes and phenotypes

For the second time in recent months, another prominent figure has declared his intention to crack the code of human aging. This time it is scientist and entrepreneur J. Craig Venter, Ph.D., known for his role in sequencing the first whole human genome.

Venter will pursue this goal through a brand new company he launched, called Human Longevity, Inc. (HLI), based in La Jolla, California.

Human Longevity, Inc. Will Compete Against Calico

This is a noteworthy development. Pathologists and clinical laboratory managers already know Venter’s competition in this race is a company called Calico that was founded by several entrepreneurs linked to Google. (more…)

Google’s Calico Start-up to Sequence Whole Human Genomes of Healthy 100-Year-Olds in Project to Solve Puzzle of Human Aging

If successful, the knowledge gained from this research may provide new tools and medical laboratory tests that pathologists can use in the management of geriatric patients

Google’s founders believe that analysis of the genomes of people who live to be 100 years old and are relatively healthy will allow them to solve the puzzle of human aging. They have funded a new company specifically to pursue this goal.

In the near future, it is unlikely that any of the science developed by this venture will lead to a diagnostic profile or clinical laboratory tests that pathologists can use to help clinicians who deal with the diseases associated with aging. But should the research team at Calico develop a better understanding of the dynamics of human aging, it would certainly be expected that this knowledge would be used to develop appropriate medical laboratory tests. (more…)

;