Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
A hacker activating a 3D rendering of DNA data.
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
Social distancing is a critical part of the strategy to defeat the novel coronavirus.
Kira Peikoff was the editor-in-chief of Leaps.org from 2017 to 2021. As a journalist, her work has appeared in The New York Times, Newsweek, Nautilus, Popular Mechanics, The New York Academy of Sciences, and other outlets. She is also the author of four suspense novels that explore controversial issues arising from scientific innovation: Living Proof, No Time to Die, Die Again Tomorrow, and Mother Knows Best. Peikoff holds a B.A. in Journalism from New York University and an M.S. in Bioethics from Columbia University. She lives in New Jersey with her husband and two young sons. Follow her on Twitter @KiraPeikoff.
Individuals seeking funding for experimental therapies may enroll in legitimate clinical trials -- or fall prey to snake oil.
Nearly a decade ago, Jamie Anderson hit his highest weight ever: 618 pounds. Depression drove him to eat and eat. He tried all kinds of diets, losing and regaining weight again and again. Then, four years ago, a friend nudged him to join a gym, and with a trainer's guidance, he embarked on a life-altering path.
Ethicists become particularly alarmed when medical crowdfunding appeals are for scientifically unfounded and potentially harmful interventions.
"The big catalyst for all of this is, I was diagnosed as a diabetic," says Anderson, a 46-year-old sales associate in the auto care department at Walmart. Within three years, he was down to 276 pounds but left with excess skin, which sagged from his belly to his mid-thighs.
Plastic surgery would cost $4,000 more than the sum his health insurance approved. That's when Anderson, who lives in Cabot, Arkansas, a suburb outside of Little Rock, turned to online crowdfunding to raise money. In a few months last year, current and former co-workers and friends of friends came up with that amount, covering the remaining expenses for the tummy tuck and overnight hospital stay.
The crowdfunding site that he used, CoFund Health, aimed to give his donors some peace of mind about where their money was going. Unlike GoFundMe and other platforms that don't restrict how donations are spent, Anderson's funds were loaded on a debit card that only worked at health care providers, so the donors "were assured that it was for medical bills only," he says.
CoFund Health was started in January 2019 in response to concerns about the legitimacy of many medical crowdfunding campaigns. As crowdfunding for health-related expenses has gained more traction on social media sites, with countless campaigns seeking to subsidize the high costs of care, it has given rise to some questionable transactions and legitimate ethical concerns.
Common examples of alleged fraud have involved misusing the donations for nonmedical purposes, feigning or embellishing the story of one's own unfortunate plight or that of another person, or impersonating someone else with an illness. Ethicists become particularly alarmed when medical crowdfunding appeals are for scientifically unfounded and potentially harmful interventions.
About 20 percent of American adults reported giving to a crowdfunding campaign for medical bills or treatments, according to a survey by AmeriSpeak Spotlight on Health from NORC, formerly called the National Opinion Research Center, a non-partisan research institution at the University of Chicago. The self-funded poll, conducted in November 2019, included 1,020 interviews with a representative sample of U.S. households. Researchers cited a 2019 City University of New York-Harvard study, which noted that medical bills are the most common basis for declaring personal bankruptcy.
Some experts contend that crowdfunding platforms should serve as gatekeepers in prohibiting campaigns for unproven treatments. Facing a dire diagnosis, individuals may go out on a limb to try anything and everything to prolong and improve the quality of their lives.
They may enroll in well-designed clinical trials, or they could fall prey "to snake oil being sold by people out there just making a buck," says Jeremy Snyder, a health sciences professor at Simon Fraser University in British Columbia, Canada, and the lead author of a December 2019 article in The Hastings Report about crowdfunding for dubious treatments.
For instance, crowdfunding campaigns have sought donations for homeopathic healing for cancer, unapproved stem cell therapy for central nervous system injury, and extended antibiotic use for chronic Lyme disease, according to an October 2018 report in the Journal of the American Medical Association.
Ford Vox, the lead author and an Atlanta-based physician specializing in brain injury, maintains that a repository should exist to monitor the outcomes of experimental treatments. "At the very least, there ought to be some tracking of what happens to the people the funds are being raised for," he says. "It would be great for an independent organization to do so."
"Even if it appears like a good cause, consumers should still do some research before donating to a crowdfunding campaign."
The Federal Trade Commission, the national consumer watchdog, cautions online that "it might be impossible for you to know if the cause is real and if the money actually gets to the intended recipient." Another caveat: Donors can't deduct contributions to individuals on tax returns.
"Even if it appears like a good cause, consumers should still do some research before donating to a crowdfunding campaign," says Malini Mithal, associate director of financial practices at the FTC. "Don't assume all medical treatments are tested and safe."
Before making any donation, it would be wise to check whether a crowdfunding site offers some sort of guarantee if a campaign ends up being fraudulent, says Kristin Judge, chief executive and founder of the Cybercrime Support Network, a Michigan-based nonprofit that serves victims before, during, and after an incident. They should know how the campaign organizer is related to the intended recipient and note whether any direct family members and friends have given funds and left supportive comments.
Donating to vetted charities offers more assurance than crowdfunding that the money will be channeled toward helping someone in need, says Daniel Billingsley, vice president of external affairs for the Oklahoma Center of Nonprofits. "Otherwise, you could be putting money into all sorts of scams." There is "zero accountability" for the crowdfunding site or the recipient to provide proof that the dollars were indeed funneled into health-related expenses.
Even if donors may have limited recourse against scammers, the "platforms have an ethical obligation to protect the people using their site from fraud," says Bryanna Moore, a postdoctoral fellow at Baylor College of Medicine's Center for Medical Ethics and Health Policy. "It's easy to take advantage of people who want to be charitable."
There are "different layers of deception" on a broad spectrum of fraud, ranging from "outright lying for a self-serving reason" to publicizing an imaginary illness to collect money genuinely needed for basic living expenses. With medical campaigns being a top category among crowdfunding appeals, it's "a lot of money that's exchanging hands," Moore says.
The advent of crowdfunding "reveals and, in some ways, reinforces a health care system that is totally broken," says Jessica Pierce, a faculty affiliate in the Center for Bioethics and Humanities at the University of Colorado Anschutz Medical Campus in Denver. "The fact that people have to scrounge for money to get life-saving treatment is unethical."
Crowdfunding also highlights socioeconomic and racial disparities by giving an unfair advantage to those who are social-media savvy and capable of crafting a compelling narrative that attracts donors. Privacy issues enter into the picture as well, because telling that narrative entails revealing personal details, Pierce says, particularly when it comes to children, "who may not be able to consent at a really informed level."
CoFund Health, the crowdfunding site on which Anderson raised the money for his plastic surgery, offers to help people write their campaigns and copy edit for proper language, says Matthew Martin, co-founder and chief executive officer. Like other crowdfunding sites, it retains a few percent of the donations for each campaign. Martin is the husband of Anderson's acquaintance from high school.
So far, the site, which is based in Raleigh, North Carolina, has hosted about 600 crowdfunding campaigns, some completed and some still in progress. Campaigns have raised as little as $300 to cover immediate dental expenses and as much as $12,000 for cancer treatments, Martin says, but most have set a goal between $5,000 and $10,000.
Whether or not someone's campaign is based on fact or fiction remains for prospective donors to decide.
The services could be cosmetic—for example, a breast enhancement or reduction, laser procedures for the eyes or skin, and chiropractic care. A number of campaigns have sought funding for transgender surgeries, which many insurers consider optional, he says.
In July 2019, a second site was hatched out of pet owners' requests for assistance with their dogs' and cats' medical expenses. Money raised on CoFund My Pet can only be used at veterinary clinics. Martin says the debit card would be declined at other merchants, just as its CoFund Health counterpart for humans will be rejected at places other than health care facilities, dental and vision providers, and pharmacies.
Whether or not someone's campaign is based on fact or fiction remains for prospective donors to decide. If a donor were to regret a transaction, he says the site would reach out to the campaign's owner but ultimately couldn't force a refund, Martin explains, because "it's hard to chase down fraud without having access to people's health records."
In some crowdfunding campaigns, the individual needs some or all the donated resources to pay for travel and lodging at faraway destinations to receive care, says Snyder, the health sciences professor and crowdfunding report author. He suggests people only give to recipients they know personally.
"That may change the calculus a little bit," tipping the decision in favor of donating, he says. As long as the treatment isn't harmful, the funds are a small gesture of support. "There's some value in that for preserving hope or just showing them that you care."