This month, DNA testing company 23andMe confirmed that hackers gained access to approximately 6.9 million users’ data. The breached information includes sensitive details such as names, birth years, relationship labels, DNA shared with certain relatives, health-related information related to the users’ genetics, ancestry reports, and self-reported location data. In the company’s report to the Securities and Exchange Commission (SEC), the alleged cause of the breach was an attack that infiltrated 23andMe systems through user accounts that had reused compromised passwords.
Notably, 23andMe is not governed by the Health Insurance Portability and Accountability Act (HIPAA). Therefore, it is not required to comply with HIPAA’s breach notification requirements, nor will it be subject to Office for Civil Rights investigation or enforcement. However, 23andMe is required to comply with federal and state consumer health data privacy regimes, such as the Federal Trade Commission (FTC) Health Breach Notification Rule. This rule requires that companies experiencing a breach of security of consumers’ identifying health information notify affected consumers, the FTC, and the media. Recently, the FTC expressed its intention to enforce rules related to the privacy of personal information. The agency has demonstrated its commitment to these enforcement goals, as it pursued actions against various entities for privacy related matters, including against another genetic testing company for leaving sensitive genetic and health data unsecured, deceiving customers about their ability to get their data deleted, and changing its privacy policies retroactively without notification and without obtaining consent from consumers whose data the company had already collected. Based on the FTC’s announcement regarding its focus on these matters, this uptick in enforcement is expected to continue.
The 23andme data breach serves as a reminder to all companies and vendors collecting and storing health-related consumer data to ensure that they are complaint with applicable data privacy rules and regulations, even if they believe they are not governed under HIPAA’s purview. Given the rapidly evolving data privacy landscape, it is critical that companies with access to consumer and health data remain vigilant and compliant with both federal and state data privacy laws.
Frier Levitt has experienced data privacy attorneys who can review your current policies and business practices to confirm that your organization is compliant with applicable laws and prepared to react appropriately in the event of a security incident. In light of the 23andMe breach, the call to action is clear: prioritize data security and compliance to safeguard the trust and privacy of consumers.
