23andMe Hack: What To Know When Your Health Data is Breached

Your health data is exceptionally valuable — and exceptionally vulnerable.

That has been made clear in a string of recent breaches that have exposed sensitive medical information, including a hack at the genetic testing company 23andMe; a ransomware attack in November that affected emergency rooms and delayed medical procedures at hospitals in several states; and a cyberattack on a medical transcription company that stole the health data of nine million people.

Such large breaches are increasingly common: In the first 10 months of this year alone, more than 88 million individuals, a quarter of Americans, had their medical data exposed, according to the Department of Health and Human Services. And that number does not include episodes involving companies that may have access to your health data but that aren’t governed by the patient privacy law known as HIPAA, which requires breaches to be reported to the federal government.

For people whose information is leaked, a breach can violate patient privacy and put them at risk of identity theft, insurance fraud or discrimination if, for example, their treatment for a stigmatized condition such as addiction or AIDS is made public, said Dr. Eduardo Iturrate, health I.T. safety officer and senior director for enterprise data and analytics at NYU Langone Health.

While a breach can leave you feeling helpless, there are steps experts recommend you take.

Hospitals and health care companies often hold some of our most intimate data: medical diagnoses, treatment history, financial information and in some cases, your Social Security number. If your information was leaked, you should start by finding out what exactly was exposed.

In the case of 23andMe, which is not covered by HIPAA, the company said hackers may have gained access to ancestry data, “health-related information based upon the user’s genetics” and other personal information, including display names and uploaded photos. The company said it is notifying those affected, but it did not specify a time frame for doing so.

Organizations covered by HIPAA — including hospitals, health insurers and service providers like companies that make software used by health systems — generally must notify patients within 60 days if their protected health information has been compromised. They’re also required to tell patients what steps they can take to protect themselves from potential harm and share plans to reduce further security risks, said Jacqueline Seitz, the deputy director of health privacy at the Legal Action Center, a nonprofit that advocates on legal and health equity issues.

Watch for signs that someone is using your medical information, like bills for medical care you didn’t receive, errors in your explanation of benefits statement from your insurer or a notice saying you reached your benefit limit.

Use a credit-monitoring service to watch your credit cards and score, and depending on what information was exposed, consider putting a fraud alert on your accounts or freezing them. Also pay attention to financial accounts tied to your health care, such as a health savings account, in case a hacker tries to withdraw money.

Report any unauthorized charges or incorrect medical bills in writing. If you find an error in a bill or record, send your health insurer and provider a copy of your accurate medical records and explain why the information is wrong. If you use Medicaid or Medicare, you can also report fraud to the H.H.S. Office of Inspector General.

These steps can be time-consuming, but they are important for your future care. False information in your records could lead to medical errors.

Unfortunately, it can be all but impossible to fully reclaim control of your information. “Once data has been given to someone else and you don’t know what they’re doing with it, there is no way to pull it back in,” Dr. Iturrate said.

Still, experts said there are steps you can take to limit any potential harms and keep your data safer going forward. Dr. Iturrate recommended that people immediately update their passwords for any account that might be affected, such as a patient portal, and enable two-factor authentication if possible. Pick strong, unique passwords for every account, and consider using a password manager.

Whether you’re using a genetic testing site, downloading a wellness app or visiting a doctor’s office, you should also think carefully about the medical information you share, Ms. Seitz said.

“I encourage people to ask: ‘Do you really need my full medical record? Do you need to give me a screening questionnaire about every time I’ve used drugs?’” she said. “That is sensitive information, and it may not be necessary in order to be seen by your dermatologist,” she added.

Ms. Seitz acknowledged that most people, herself included, do not read the fine print of privacy agreements on health care websites. But you can still try to compartmentalize your personal information by making sure you opt out of sharing location data or contacts, for example. You could also make dedicated email addresses for different health care accounts, or use an app like Permission Slip to ask companies to delete your data.

There isn’t a clear legal path to deal with most data breaches. People cannot directly sue their providers for a HIPAA violation, Ms. Seitz said. Some states have enacted laws to protect certain types of health data, such as whether you’ve been tested for H.I.V., if you have a mental health condition or if you are seeking addiction treatment. The Genetic Information Nondiscrimination Act, known as GINA, also offers some protection against discrimination based on genetic information, but experts said it had notable loopholes. For example, if you have tested positive for the BRCA1 breast cancer gene, GINA does not prevent mortgage lenders or life or disability insurance providers from using that information against you.

“Even if you can find a law that you can sue under, it can be very challenging to win a privacy case,” Ms. Seitz said. “Different courts take totally different perspectives on how to prove harm.”

The recent breaches highlight why it matters to be vigilant and proactive about protecting your health data. But the responsibility should not fall solely on consumers, said Anthony Vance, a professor of business information technology and a Commonwealth Cyber Initiative fellow at Virginia Tech.

“You can post your data once and be done,” he said. “But companies holding that data have to protect it forever, and they need more incentives and better regulation.”


Back To Top