“I mentioned to a co-worker that I just found out I had the breast cancer gene,” a woman told me a few years ago.
“The next thing I knew, everyone in the office was asking me, ‘How are you?’ When the director of our unit retired, everyone had assumed that I’d be chosen to replace him, but instead, I was passed over. I wasn’t fired, but I wasn’t promoted, either.”
She assumed that the company worried that there was a risk she might get cancer and be unable to work. Alas, as she suggests, subtle and not-so-subtle genetic discrimination exists, especially for genes associated with Alzheimer’s, cancer and other serious conditions, and privacy is therefore crucial.
I have been thinking about this woman as I read about 23andMe’s bankruptcy, and the fact that millions of people’s DNA is now for sale. This bankruptcy highlights several critical problems and the need for much stronger regulations concerning genetic information.
The company’s history has been rife with difficulties that, for years, it persuaded policy makers and millions of customers to overlook. Those issues stem from the company’s problematic two-fold business model.
23andMe planned to reap profit by selling millions of people’s DNA to biotech companies and others for tens of millions of dollars each. It has sold copies of its dataset to around 30, including Genentech for $65 million in 2015, and more recently, to GlaxoSmithKline, earning $300 million.
But to collect enough DNA, it needed to persuade millions of people to give their genes to the company. 23andMe, therefore, had to convince customers that sending a biological sample would provide benefits and that these would outweigh any risks.
At first, the company advertised that it provided medically useful and actionable information, indicating ways of improving your health. But the Food and Drug Administration said the corporation needed to show evidence of these assertions.
After four years of discussions with the FDA, the company was unable to do so and stopped responding to FDA inquiries while continuing to advertise its tests unchanged. The FDA then said the company had to desist until it was able to demonstrate that these claims were true.
The company thus shifted its ads to say it provided “health information,” consisting not of your risk of any disease, or possible treatments for it, but rather your chance of carrying a so-called recessive gene that posed no harm to you, but could affect your child if the other parent also had the gene.
Genetic data is extremely valuable. It’s the new oil, potentially leading to discoveries of genetic tests that strongly predict good or bad responses to various drugs, generating patents and immense profit. Such targeted or “precision” medicine has already yielded drugs costing over $1 million per patient.
Yet not only biotech companies, but others, including governments that want to identify citizens in various ways, for surveillance or capture, also seek such data. Hackers know this and thus broke into 23andMe’s gold mine and posted DNA of Chinese and Ashkenazi Jews, which could be used for discriminatory purposes.
This bankruptcy underscores the need for better regulations concerning privacy protections and consent. Laws protecting this company’s users are few.
The 2008 federal Genetic Information Nondiscrimination Act applies only to employers with more than 15 workers, and does not cover life insurance, disability or long-term care insurance. So, if a 23andMe customer decides to apply for one of these types of coverage, the insurer can refuse or charge higher rates, based on the person’s DNA.
Companies that violate the law must pay a fine of up to $500,000, but, since treatments for some genetic diseases now cost over $1 million a person, an insurer can choose to drop you and just pay the fine, rather than cover the $1 million cost. The Health Insurance Portability and Accountability Act, passed in 1996, covers the privacy of medical information among health care providers, but doesn’t apply to 23andMe, which doesn’t offer any care.
Unfortunately, withdrawing your data from the 23andMe website does not fully protect your information, since other companies already own copies of your DNA and may be able to sell it or share it with others. Users have been able to request that their data not be sold, but the company has stated it retains much of your data even if you delete your account.
Alas, while you can protect your financial information, such as your credit card number, if hacked, by getting a new card, your DNA is permanent — you cannot change it. It will forever identify you.
Consumers have the right to obtain their genetic information if they want, but therefore also have the right to informed consent that lets them know what information about them is being shared with whom.
23andMe’s debacle should be a major wake-up call, reminding policymakers and all of us of the risks of giving access to our genetic and other health data. Over the years since HIPAA and the Genetic Information Nondiscrimination Act were passed, the world has changed and these laws need to be strengthened, ensuring heightened confidentiality and transparency.
Efforts to collect your DNA are increasing, with many hospitals and others now building biobanks that AI can ever more readily probe. We need to be far better prepared.
Robert Klitzman, MD, is a professor of psychiatry at Vagelos College of Physicians & Surgeons at the Joseph Mailman School of Public Health and director of the Online and In-person Masters of Bioethics Programs at Columbia University.