Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
A hacker activating a 3D rendering of DNA data.
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
Defenders of civil liberties fear that the erosion of privacy will become a long-term consequence of the pandemic.
As countries around the world combat the coronavirus outbreak, governments that already operated sophisticated surveillance programs are ramping up the tracking of their citizens.
"The potential for invasions of privacy, abuse, and stigmatization is enormous."
Countries like China, South Korea, Israel, Singapore and others are closely monitoring citizens to track the spread of the virus and prevent further infections, and policymakers in the United States have proposed similar steps. These shifts in policy have civil liberties defenders alarmed, as history has shown increases in surveillance tend to stick around after an emergency is over.
In China, where the virus originated and surveillance is already ubiquitous, the government has taken measures like having people scan a QR code and answer questions about their health and travel history to enter their apartment building. The country has also increased the tracking of cell phones, encouraged citizens to report people who appear to be sick, utilized surveillance drones, and developed facial recognition that can identify someone even if they're wearing a mask.
In Israel, the government has begun tracking people's cell phones without a court order under a program that was initially meant to counter terrorism. Singapore has also been closely tracking people's movements using cell phone data. In South Korea, the government has been monitoring citizens' credit card and cell phone data and has heavily utilized facial recognition to combat the spread of the coronavirus.
Here at home, the United States government and state governments have been using cell phone data to determine where people are congregating. White House senior adviser Jared Kushner's task force to combat the coronavirus outbreak has proposed using cell phone data to track coronavirus patients. Cities around the nation are also using surveillance drones to maintain social distancing orders. Companies like Apple and Google that work closely with the federal government are currently developing systems to track Americans' cell phones.
All of this might sound acceptable if you're worried about containing the outbreak and getting back to normal life, but as we saw when the Patriot Act was passed in 2001 in the wake of the 9/11 terrorist attacks, expansions of the surveillance state can persist long after the emergency that seemed to justify them.
Jay Stanley, senior policy analyst with the ACLU Speech, Privacy, and Technology Project, says that this public health emergency requires bold action, but he worries that actions may be taken that will infringe on our privacy rights.
"This is an extraordinary crisis that justifies things that would not be justified in ordinary times, but we, of course, worry that any such things would be made permanent," Stanley says.
Stanley notes that the 9/11 situation was different from this current situation because we still face the threat of terrorism today, and we always will. The Patriot Act was a response to that threat, even if it was an extreme response. With this pandemic, it's quite possible we won't face something like this again for some time.
"We know that for the last seven or eight decades, we haven't seen a microbe this dangerous become a pandemic, and it's reasonable to expect it's not going to be happening for a while afterward," Stanley says. "We do know that when a vaccine is produced and is produced widely enough, the COVID crisis will be over. This does, unlike 9/11, have a definitive ending."
The ACLU released a white paper last week outlining the problems with using location data from cell phones and how policymakers should proceed when they discuss the usage of surveillance to combat the outbreak.
"Location data contains an enormously invasive and personal set of information about each of us, with the potential to reveal such things as people's social, sexual, religious, and political associations," they wrote. "The potential for invasions of privacy, abuse, and stigmatization is enormous. Any uses of such data should be temporary, restricted to public health agencies and purposes, and should make the greatest possible use of available techniques that allow for privacy and anonymity to be protected, even as the data is used."
"The first thing you need to combat pervasive surveillance is to know that it's occurring."
Sara Collins, policy counsel at the digital rights organization Public Knowledge, says that one of the problems with the current administration is that there's not much transparency, so she worries surveillance could be increased without the public realizing it.
"You'll often see the White House come out with something—that they're going to take this action or an agency just says they're going to take this action—and there's no congressional authorization," Collins says. "There's no regulation. There's nothing there for the public discourse."
Collins says it's almost impossible to protect against infringements on people's privacy rights if you don't actually know what kind of surveillance is being done and at what scale.
"I think that's very concerning when there's no accountability and no way to understand what's actually happening," Collins says. "The first thing you need to combat pervasive surveillance is to know that it's occurring."
We should also be worried about corporate surveillance, Collins says, because the tech companies that keep track of our data work closely with the government and do not have a good track record when it comes to protecting people's privacy. She suspects these companies could use the coronavirus outbreak to defend the kind of data collection they've been engaging in for years.
Collins stresses that any increase in surveillance should be transparent and short-lived, and that there should be a limit on how long people's data can be kept. Otherwise, she says, we're risking an indefinite infringement on privacy rights. Her organization will be keeping tabs as the crisis progresses.
It's not that we shouldn't avail ourselves of modern technology to fight the pandemic. Indeed, once lockdown restrictions are gradually lifted, public health officials must increase their ability to isolate new cases and trace, test, and quarantine contacts.
But tracking the entire populace "Big Brother"-style is not the ideal way out of the crisis. Last week, for instance, a group of policy experts -- including former FDA Commissioner Scott Gottlieb -- published recommendations for how to achieve containment. They emphasized the need for widespread diagnostic and serologic testing as well as rapid case-based interventions, among other measures -- and they, too, were wary of pervasive measures to follow citizens.
The group wrote: "Improved capacity [for timely contact tracing] will be most effective if coordinated with health care providers, health systems, and health plans and supported by timely electronic data sharing. Cell phone-based apps recording proximity events between individuals are unlikely to have adequate discriminating ability or adoption to achieve public health utility, while introducing serious privacy, security, and logistical concerns."
The bottom line: Any broad increases in surveillance should be carefully considered before we go along with them out of fear. The Founders knew that privacy is integral to freedom; that's why they wrote the Fourth Amendment to protect it, and that right shouldn't be thrown away because we're in an emergency. Once you lose a right, you don't tend to get it back.
Scientific breakthroughs offer our only solution for a safe return to normal life.
Kira Peikoff was the editor-in-chief of Leaps.org from 2017 to 2021. As a journalist, her work has appeared in The New York Times, Newsweek, Nautilus, Popular Mechanics, The New York Academy of Sciences, and other outlets. She is also the author of four suspense novels that explore controversial issues arising from scientific innovation: Living Proof, No Time to Die, Die Again Tomorrow, and Mother Knows Best. Peikoff holds a B.A. in Journalism from New York University and an M.S. in Bioethics from Columbia University. She lives in New Jersey with her husband and two young sons. Follow her on Twitter @KiraPeikoff.