Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
Jessica Ware is obsessed with bugs.
My guest today is a leading researcher on insects, the president of the Entomological Society of America and a curator at the American Museum of Natural History. Learn more about her here.
You may not think that insects and human health go hand-in-hand, but as Jessica makes clear, they’re closely related. A lot of people care about their health, and the health of other creatures on the planet, and the health of the planet itself, but researchers like Jessica are studying another thing we should be focusing on even more: how these seemingly separate areas are deeply entwined. (This is the theme of an upcoming event hosted by Leaps.org and the Aspen Institute.)
Listen to the Episode
Listen on Apple | Listen on Spotify | Listen on Stitcher | Listen on Amazon | Listen on Google
Entomologist Jessica Ware
D. Finnin / AMNH
Maybe it feels like a core human instinct to demonize bugs as gross. We seem to try to eradicate them in every way possible, whether that’s with poison, or getting out our blood thirst by stomping them whenever they creep and crawl into sight.
But where did our fear of bugs really come from? Jessica makes a compelling case that a lot of it is cultural, rather than in-born, and we should be following the lead of other cultures that have learned to live with and appreciate bugs.
The truth is that a healthy planet depends on insects. You may feel stung by that news if you hate bugs. Reality bites.
Jessica and I talk about whether learning to live with insects should include eating them and gene editing them so they don’t transmit viruses. She also tells me about her important research into using genomic tools to track bugs in the wild to figure out why and how we’ve lost 50 percent of the insect population since 1970 according to some estimates – bad news because the ecosystems that make up the planet heavily depend on insects. Jessica is leading the way to better understand what’s causing these declines in order to start reversing these trends to save the insects and to save ourselves.
They received retinal implants to restore their vision. Then the company turned its back on them.
The first thing Jeroen Perk saw after he partially regained his sight nearly a decade ago was the outline of his guide dog Pedro.
“There was a white floor, and the dog was black,” recalls Perk, a 43-year-old investigator for the Dutch customs service. “I was crying. It was a very nice moment.”
Perk was diagnosed with retinitis pigmentosa as a child and had been blind since early adulthood. He has been able to use the implant placed into his retina in 2013 to help identify street crossings, and even ski and pursue archery. A video posted by the company that designed and manufactured the device indicates he’s a good shot.
Less black-and-white has been the journey Perk and others have been on after they were implanted with the Argus II, a second-generation device created by a Los Angeles-based company called Second Sight Medical Devices.
The Argus II uses the implant and a video camera embedded in a special pair of glasses to provide limited vision to those with retinitis pigmentosa, a genetic disease that causes cells in the retina to deteriorate. The camera feeds information to the implant, which sends electrical impulses into the retina to recapitulate what the camera sees. The impulses appear in the Argus II as a 60-pixel grid of blacks, grays and whites in the user’s eye that can render rough outlines of objects and their motion.
Smartphone and computer manufacturers typically stop issuing software upgrades to their devices after two or three years, eventually rendering them bricks. But is the smartphone approach acceptable for a device that helps restore the most crucial sense a human being possesses?
Ross Doerr, a retired disability rights attorney in Maine who received an Argus II in 2019, describes the field of vision as the equivalent of an index card held at arm’s length. Perk often brings objects close to his face to decipher them. Moreover, users must swivel their heads to take in visual data; moving their eyeballs does not work.
Despite its limitations, the Argus II beats the alternative. Perk no longer relies on his guide dog. Doerr was uplifted when he was able to see the outlines of Christmas trees at a holiday show.
“The fairy godmother department sort of reaches out and taps you on the shoulder once in a while,” Doerr says of his implant, which came about purely by chance. A surgeon treating his cataracts was partnered with the son of another surgeon who was implanting the devices, and he was referred.
Doerr had no reason to believe the shower of fairy dust wouldn’t continue. Second Sight held out promises that the Argus II recipients’ vision would gradually improve through upgrades to much higher pixel densities. The ability to recognize individual faces was even touted as a possibility. In the winter of 2020, Doerr was preparing to travel across the U.S. to Second Sight’s headquarters to receive an upgrade. But then COVID-19 descended, and the trip was canceled.
The pandemic also hit Second Sight’s bottom line. Doerr found out about its tribulations only from one of the company’s vision therapists, who told him the entire department was being laid off. Second Sight cut nearly 80% of its workforce in March 2020 and announced it would wind down operations.
Ross Doerr has mostly stopped using his Argus II, the result of combination of fear of losing its assistance from wear and tear and disdain for the company that brought it to market.
Jan Doerr
Second Sight’s implosion left some 350 Argus recipients in the metaphorical dark about what to do if their implants failed. Skeleton staff seem to have rarely responded to queries from their customers, at least based on the experiences of Perk and Doerr. And some recipients have unfortunately returned to the actual dark as well, as reports have surfaced of Argus II failures due to aging or worn-down parts.
Product support for complex products is remarkably uneven. Although the iconic Ford Mustang ceased production in the late 1960s, its parts market is so robust that it’s theoretically possible to assemble a new vehicle from recently crafted components. Conversely, smartphone and computer manufacturers typically stop issuing software upgrades to their devices after two or three years, eventually rendering them bricks. Consumers have accepted both extremes.
But is the smartphone approach acceptable for a device that helps restore the most crucial sense a human being possesses?
Margaret McLean, a senior fellow at the Markkula Center for Applied Ethics at Santa Clara University in California, notes companies like Second Sight have a greater obligation for product support than other consumer product ventures.
“In this particular case, you have a great deal of risk that is involved in using this device, the implant, and the after care of this device,” she says. “You cannot, like with your car, decide that ‘I don’t like my Mustang anymore,’ and go out and buy a Corvette.”
And, whether the Argus II implant works or not, its physical presence can impact critical medical decisions. Doerr’s doctor wanted him to undergo an MRI to assist in diagnosing attacks of vertigo. But the physician was concerned his implant might interfere. With the latest available manufacturer advisories on his implant nearly a decade old, the procedure was held up. Doerr spent months importuning Second Sight through phone calls, emails and Facebook postings to learn if his implant was contraindicated with MRIs, which he never received. Although the cause of his vertigo was found without an MRI, Doerr was hardly assured.
“Put that into context for a minute. I get into a serious car accident. I end up in the emergency room, and I have a tag saying I have an implanted medical device,” he says. “You can’t do an MRI until you get the proper information from the company. Who’s going to answer the phone?”
Second Sight’s management did answer the call to revamp its business. It netted nearly $78 million through a private stock placement and an initial public offering last year. At the end of 2021, Second Sight had nearly $70 million in cash on hand, according to a recent filing with the Securities and Exchange Commission.
And while the Argus II is still touted at length on Second Sight’s home page, it appears little of its corporate coffers are earmarked toward its support. These days, the company is focused on obtaining federal approvals for Orion, a new implant that would go directly into the recipient’s brain and could be used to remedy blindness from a variety of causes. It obtained a $6.4 million grant from the National Institutes of Health in May 2021 to help develop Orion.
Presented with a list of written questions by email, Second Sight’s spokesperson, Dave Gentry of the investor relations firm Red Chip Companies, copied a subordinate with an abrupt message to “please handle.” That was the only response from a company representative. A call to Second Sight acting chief executive officer Scott Dunbar went unreturned.
Whether or not the Orion succeeds remains to be seen. The company’s SEC filings suggest a viable and FDA-approved device is years away, and that operational losses are expected for the “foreseeable future.” Second Sight reported zero revenue in 2020 or 2021.
Moreover, the experiences of the Argus II recipients could color the reception of future Second Sight products. Doerr notes that his insurer paid nearly $500,000 to implant his device and for training on how to use it.
“What’s the insurance industry going to say the next time this crops up?” Doerr asks, noting that the company’s reputation is “completely shot” with the recipients of its implants.
Perk, who made speeches to praise the Argus II and is still featured in a video on the Second Sight website, says he also no longer supports the company.
Jeroen Perk, an investigator for the Dutch customs service, cried for joy after partially regaining his sight, but he no longer trusts Second Sight, the company that provided his implant.
Nanda Perk
Nevertheless, Perk remains highly reliant on the technology. When he dropped an external component of his device in late 2020 and it broke, Perk briefly debated whether to remain blind or find a way to get his Argus II working again. Three months later, he was able to revive it by crowdsourcing parts, primarily from surgeons with spare components or other Argus II recipients who no longer use their devices. Perk now has several spare parts in reserve in case of future breakdowns.
Despite the frantic efforts to retain what little sight he has, Perk has no regrets about having the device implanted. And while he no longer trusts Second Sight, he is looking forward to possibly obtaining more advanced implants from companies in the Netherlands and Australia working on their own products.
Doerr suggests that biotech firms whose implants are distributed globally be bound to some sort of international treaty requiring them to service their products in perpetuity. Such treaties are still applied to the salvage rights for ships that sunk centuries ago, he notes.
“I think that in a global tech economy, that would be a good thing,” says McLean, the fellow at Santa Clara, “but I am not optimistic about it in the near term. Business incentives push toward return on share to stockholders, not to patients and other stakeholders. We likely need to rely on some combination of corporately responsibility…and [international] government regulation. It’s tough—the Paris Climate Accord implementation at a slow walk comes to mind.”
Unlike Perk, Doerr has mostly stopped using his Argus II, the result of combination of fear of losing its assistance from wear and tear and disdain for the company that brought it to market. At 70, Doerr says he does not have the time or energy to hold the company more accountable. And with Second Sight having gone through a considerable corporate reorganization, Doerr believes a lawsuit to compel it to better serve its Argus recipients would be nothing but an extremely costly longshot.
“It’s corporate America at its best,” he observes.