This holiday season was a hot one for at-home genome testing. Providers like 23andMe and Ancestry.com promoted their heritage and health testing services as a gift for families who want to learn about their genetic makeup.
It might look like the gift that keeps on giving, with new relatives and health findings popping up all the time, but experts told 5 On Your Side that customers may be giving away something they’ll never get back. The history of your DNA doesn’t end when you send it in. It might just be the start of the journey your data can take from testing provider to healthcare companies or the police.
How well do you know you?
Dan Smith’s wife surprised him with a DNA testing kit from Ancestry.com a few years ago. He got more surprises when he saw his results.
“Everybody else on my mom's side was mostly German and Irish,” Smith said. “I always prided myself more on the German part.”
Like many customers who see inside their genomes for the first time, Smith's view of his own background changed.
“It turns out I’m more English,” he said. “The one that really, really surprised me, even though it's only 1% is, uh, from Cameroon in the Congo. I did not expect that on my DNA at all.”
The Ancestry.com results also connected Smith with a relative his family never got to know.
“Me and my sister knew all our lives we had a half brother but we've never known who because it was a closed adoption,” he said. “This guy came up as a potential sibling.”
Kathy Smith, unrelated to Dan Smith, used a 23andMe test given to her to learn more about her future rather than her family’s past. She wanted to know her risk of diseases that run in her family. The news she got was reassuring.
“For some people that would be very frightening. I loved it. I thought it was interesting,” Kathy Smith said.
Where did your DNA data go?
The price of these findings is that private companies get to know all that information and more. While direct-to-consumer genetic testing providers generally have privacy policies to tell customers how their data will be stored and shared, genetic code is sensitive information on a whole new level. It can connect you to your relatives, predict your risk of disease and even help identify suspects in criminal investigations all over your family tree.
In December, the Department of Defense sent a memo advising employees to stay away from the tests, which they called “largely unregulated.”
David Chronister, CEO of Parameter Security, said the cautious outlook could be warranted.
“From a technological standpoint, from an exploitation of information [the Department of Defense] sees five to 10 years down the road of what corporate America is looking at. So, I would say if they're really being leery about their employees taking these tests, I would really take heed to that,” Chronister said.
Cathy Roberts, associate editor for health at Consumer Reports, also sees reasons to stay alert.
“It is kind of a Wild West as far as regulation,” she said.
Roberts pointed out that federal law prohibits employers and insurance companies from discriminating against anyone based on their genetics, but the law is silent on some other people who could use your data.
Worst-case scenarios
“That law does not protect against discrimination in other settings. Some big examples are life insurance companies, long-term care insurance, disability insurance. These insurers can make decisions about your premiums, about your coverage, based on genetic information,” said Roberts.
Dan Smith admitted there might be findings in his data that he would want to keep out of certain hands.
“That's a very, very scary thought,” he said.
In one potential worst-case scenario, both Roberts and Chronister said someone could hypothetically impersonate you using your DNA.
By hacking your online Ancestry.com or 23andMe account, someone could attempt to exploit relationships with long-lost relatives, impersonate you and learn more about your health. Unlike a credit card number, once hackers have your genetic information, you can never really get it back.
DNA testing companies aren’t bound by the same laws that protect private health information in the same way as insurers, hospitals and doctors. The rules that consumers need to know are in the privacy agreements they acknowledge when they send in their samples.
