It’s a scene from a dystopian novel: You’re curious about your ancestry so you purchase a genealogy kit online and submit a sample of your saliva to find out whether your grandmother was right about your family origins. A few weeks later you get your results. It makes for good fodder for the next family dinner. In exchange for quelling your curiosity, the company now has your DNA—the molecular composition that makes you, you. And unless you read the fine print, you likely have no idea that this information about what makes you unique is being sold to third-parties for medical research and who knows what else.
As the popularity of genetic and genealogy testing companies, such as Ancestry.com and 23andMe, skyrockets, and privacy concerns mount over how user data is secured, the companies are increasing their presence in Washington.
Ancestry.com, the largest for-profit genealogy company, hired a firm to lobby Congress and federal agencies on their behalf in January, after spending only $10,000 in 2017 on lobbying efforts. So far this year, the Utah-based company has increased their lobbying spending eightfold, spending $80,000 on a firm to lobby on “genetic privacy issues,” according to their Senate disclosure reports reviewed by Sludge.
Helix, another DNA testing site, also hired a lobbying firm for the first time in 2018, spending $40,000 so far this year to lobby on “genomic health, data privacy and security, and regulation of laboratory developed tests,” their lobbying disclosures states.
Golden State Killer Case Raises Privacy Concerns
The increase in lobbying comes months after the Sacramento County Sheriff’s Department arrested the suspected Golden State Killer—who killed at least a dozen people and committed more than 50 rapes during a 12-year spree beginning in 1974—by using data from a genealogy research site.
More than four decades since the investigation began, police arrested 72-year old Joseph James DeAngelo in April after crime scene DNA was a partial match to DNA on GEDmatch, a geneology site. While DeAngelo’s genetic profile was not in the GEDMatch database, a distant relative’s was, narrowing down the suspected pool of possible serial killers to one family.
While law enforcement’s ingenious use of genealogy sites may have captured one of the most elusive serial killers, it surfaced questions about how genetic information is stored and who has access to users’ genetic data.
Unlike patients in clinical trials or in medical settings, there are no HIPAA-like regulations to protect consumers’ private health information on genetic and geneology testing websites. That means that users’ health data can be used or sold to third parties for medical research or to target certain individuals.
In June, Fast Company first reported that DNA testing companies, like 23andMe and Ancestry.com, were being investigated by the Federal Trade Commission over their policies for handling personal information and genetic data, as well as how that information was shared with third party vendors.
A spokeswoman for the FTC declined to comment to Sludge, noting that the agency could not say whether it was investigating a company or not.
The data security issue was further bolstered after an Israeli-based genetic testing company learned of a security breach affecting 92 million people. In June, MyHeritage announced that it was victim to a security “breach” exposing email addresses and hashed passwords of roughly 92 million users. DNA data and family tree information were stored separately, the company said in a statement at the time.
“We have no reason to believe those systems have been compromised,” the company said in a June statement.
Reps. Dave Loebsack of Iowa and Frank Pallone Jr. of New Jersey sent a letter to genealogy and genetic testing companies in late June inquiring about their security systems and customer privacy. The letter sought information on what personal information is collected from customers, which employees can see the information, and which third parties could purchase or access the data, according to the letter obtained by Stat News.
Inquiries made to Loebsack and Pallone’s offices seeking the companies’ response to the letter, and comment on whether both Democrats were interested in pursuing legislation, were not returned.
A spokesman for 23andMe told Sludge in an email that the company does not share any consumer data without consent and does not share data with employers, insurers or law enforcement. Inquiries made to Ancestry.com were not immediately returned.
To further quell issues over privacy and data security, DNA testing companies—including Ancestry, 23andMe, Helix and MyHeritage—partnered with Future of Privacy Forum, a nonprofit that focuses on data privacy, to craft “best practices.” The practices include obtaining express consent to transfer genetic data to third parties, “detailed transparency about how Genetic Data is collected, used, shared, and retained,” and deletion rights.
A Growing Industry
Direct-to-consumer genetic testing invented an industry that wasn’t available for public consumption 10 years ago and has gained a following.
Ancestry.com has tested the DNA of more than 7 million people, the company boasts on their website. 23andMe, the second largest genealogy and genetic testing company, has 5 million customers. In addition to spending millions on advertising, the companies are branching out into the medical field.
Unlike Ancestry.com, 23andMe has maintained a lobbying presence in Washington since 2011. Lobbying for the Silicon Valley-based company peaked in 2015 when they spent $390,000 in lobbying on the 21st Century Cures Act, which aims to streamline pharmaceutical and device approval to bring treatment to the market faster, and on direct-to-consumer genetic testing.
In 2013, the Food and Drug administration stopped 23andMe from providing consumers with their health information until the company could obtain regulatory approval by the agency demonstrating that the results were accurate. The test results offered users information on their risks of developing various diseases based on an analysis of DNA obtained through a saliva sample. 23andMe was granted approval by the FDA in October 2015 to resume providing consumers their health data, although the program was scaled back.
In the years since, 23andMe has received approval by the FDA to provide genetic risk information for Parkinson’s disease, late-onset Alzheimer’s, Celiac disease, as well as several blood clotting disorders. In March, the FDA announced that 23andMe could provide direct-to-consumer genetic testing on three mutations in the BRCA breast cancer genes.
In the first and second quarter of 2018, 23andMe reported $87,500 spent on lobbying, on par with the $90,000 it spend during the same time period in 2017, lobbying records show.
Last month, British drug giant GlaxoSmithKline announced it was investing $300 million into 23andMe. The companies plan to use 23andMe’s genetic database to find drugs that are more likely to work and carry lower safety risks. While 80 percent of 23andMe customers consented to participating in research, the collaboration between the two companies is designed to facilitate recruitment of patients for clinical trials.