Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
A hacker activating a 3D rendering of DNA data.
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
The Best Kept Secret on the International Space Station
Rendering of Space Tango ST-42 autonomous commercial manufacturing platform in Low Earth Orbit. (Courtesy Space Tango)
[Editor's Note: This video is the second of a five-part series titled "The Future Is Now: The Revolutionary Power of Stem Cell Research." Produced in partnership with the Regenerative Medicine Foundation, and filmed at the annual 2019 World Stem Cell Summit, this series illustrates how stem cell research will profoundly impact life on earth.]
Kira Peikoff was the editor-in-chief of Leaps.org from 2017 to 2021. As a journalist, her work has appeared in The New York Times, Newsweek, Nautilus, Popular Mechanics, The New York Academy of Sciences, and other outlets. She is also the author of four suspense novels that explore controversial issues arising from scientific innovation: Living Proof, No Time to Die, Die Again Tomorrow, and Mother Knows Best. Peikoff holds a B.A. in Journalism from New York University and an M.S. in Bioethics from Columbia University. She lives in New Jersey with her husband and two young sons. Follow her on Twitter @KiraPeikoff.
Elizabeth Holmes Through the Director’s Lens
Elizabeth Holmes.
"The Inventor," a chronicle of Theranos's storied downfall, premiered recently on HBO. Leapsmag reached out to director Alex Gibney, whom The New York Times has called "one of America's most successful and prolific documentary filmmakers," for his perspective on Elizabeth Holmes and the world she inhabited.
Do you think Elizabeth Holmes was a charismatic sociopath from the start — or is she someone who had good intentions, over-promised, and began the lies to keep her business afloat, a "fake it till you make it" entrepreneur like Thomas Edison?
I'm not qualified to say if EH was or is a sociopath. I don't think she started Theranos as a scam whose only purpose was to make money. If she had done so, she surely would have taken more money for herself along the way. I do think that she had good intentions and that she, as you say, "began the lies to keep her business afloat." ([Reporter John] Carreyrou's book points out that those lies began early.) I think that the Edison comparison is instructive for a lot of reasons.
First, Edison was the original "fake-it-till-you-make-it" entrepreneur. That puts this kind of behavior in the mainstream of American business. By saying that, I am NOT endorsing the ethic, just the opposite. As one Enron executive mused about the mendacity there, "Was it fraud or was it bad marketing?" That gives you a sense of how baked-in the "fake it" sensibility is.
"Having a thirst for fame and a noble cause enabled her to think it was OK to lie in service of those goals."
I think EH shares one other thing with Edison, which is a huge ego coupled with a talent for storytelling as long as she is the heroic, larger-than-life main character. It's interesting that EH calls her initial device "Edison." Edison was the world's most famous "inventor," both because of the devices that came out of his shop and and for his ability for "self-invention." As Randall Stross notes in "The Wizard of Menlo Park," he was the first celebrity businessman. In addition to her "good intentions," EH was certainly motivated by fame and glory and many of her lies were in service to those goals.
Having a thirst for fame and a noble cause enabled her to think it was OK to lie in service of those goals. That doesn't excuse the lies. But those noble goals may have allowed EH to excuse them for herself or, more perniciously, to make believe that they weren't lies at all. This is where we get into scary psychological territory.
But rather than thinking of it as freakish, I think it's more productive to think of it as an exaggeration of the way we all lie to others and to ourselves. That's the point of including the Dan Ariely experiment with the dice. In that experiment, most of the subjects cheated more when they thought they were doing it for a good cause. Even more disturbing, that "good cause" allowed them to lie much more effectively because they had come to believe they weren't doing anything wrong. As it turns out, economics isn't a rational practice; it's the practice of rationalizing.
Where EH and Edison differ is that Edison had a firm grip on reality. He knew he could find a way to make the incandescent lightbulb work. There is no evidence that EH was close to making her "Edison" work. But rather than face reality (and possibly adjust her goals) she pretended that her dream was real. That kind of "over-promising" or "bold vision" is one thing when you are making a prototype in the lab. It's a far more serious matter when you are using a deeply flawed system on real patients. EH can tell herself that she had to do that (Walgreens was ready to walk away if she hadn't "gone live") or else Theranos would have run out of money.
But look at the calculation she made: she thought it was worth putting lives at risk in order to make her dream come true. Now we're getting into the realm of the sociopath. But my experience leads me to believe that -- as in the case of the Milgram experiment -- most people don't do terrible things right away, they come to crimes gradually as they become more comfortable with bigger and bigger rationalizations. At Theranos, the more valuable the company became, the bigger grew the lies.
The two whistleblowers come across as courageous heroes, going up against the powerful and intimidating company. The contrast between their youth and lack of power and the old elite backers of Theronos is staggering, and yet justice triumphed. Were the whistleblowers hesitant or afraid to appear in the film, or were they eager to share their stories?
By the time I got to them, they were willing and eager to tell their stories, once I convinced them that I would honor their testimony. In the case of Erika and Tyler, they were nudged to participate by John Carreyrou, in whom they had enormous trust.
"It's simply crazy that no one demanded to see an objective demonstration of the magic box."
Why do you think so many elite veterans of politics and venture capitalism succumbed to Holmes' narrative in the first place, without checking into the details of its technology or financials?
The reasons are all in the film. First, Channing Robertson and many of the old men on her board were clearly charmed by her and maybe attracted to her. They may have rationalized their attraction by convincing themselves it was for a good cause! Second, as Dan Ariely tells us, we all respond to stories -- more than graphs and data -- because they stir us emotionally. EH was a great storyteller. Third, the story of her as a female inventor and entrepreneur in male-dominated Silicon Valley is a tale that they wanted to invest in.
There may have been other factors. EH was very clever about the way she put together an ensemble of credibility. How could Channing Robertson, George Shultz, Henry Kissinger and Jim Mattis all be wrong? And when Walgreens put the Wellness Centers in stores, investors like Rupert Murdoch assumed that Walgreens must have done its due diligence. But they hadn't!
It's simply crazy that no one demanded to see an objective demonstration of the magic box. But that blind faith, as it turns out, is more a part of capitalism than we have been taught.
Do you think that Roger Parloff deserves any blame for the glowing Fortune story on Theranos, since he appears in the film to blame himself? Or was he just one more victim of Theranos's fraud?
He put her on the cover of Fortune so he deserves some blame for the fraud. He still blames himself. That willingness to hold himself to account shows how seriously he takes the job of a journalist. Unlike Elizabeth, Roger has the honesty and moral integrity to admit that he made a mistake. He owned up to it and published a mea culpa. That said, Roger was also a victim because Elizabeth lied to him.
Do you think investors in Silicon Valley, with their FOMO attitudes and deep pockets, are vulnerable to making the same mistake again with a shiny new startup, or has this saga been a sober reminder to do their due diligence first?
Many of the mistakes made with Theranos were the same mistakes made with Enron. We must learn to recognize that we are, by nature, trusting souls. Knowing that should lead us to a guiding slogan: "trust but verify."
The irony of Holmes dancing to "I Can't Touch This" is almost too perfect. How did you find that footage?
It was leaked to us.
"Elizabeth Holmes is now famous for her fraud. Who better to host the re-boot of 'The Apprentice.'"
Holmes is facing up to 20 years in prison for federal fraud charges, but Vanity Fair recently reported that she is seeking redemption, taking meetings with filmmakers for a possible documentary to share her "real" story. What do you think will become of Holmes in the long run?
It's usually a mistake to handicap a trial. My guess is that she will be convicted and do some prison time. But maybe she can convince jurors -- the way she convinced journalists, her board, and her investors -- that, on account of her noble intentions, she deserves to be found not guilty. "Somewhere, over the rainbow…"
After the trial, and possibly prison, I'm sure that EH will use her supporters (like Tim Draper) to find a way to use the virtual currency of her celebrity to rebrand herself and launch something new. Fitzgerald famously said that "there are no second acts in American lives." That may be the stupidest thing he ever said.
Donald Trump failed at virtually every business he ever embarked on. But he became a celebrity for being a fake businessman and used that celebrity -- and phony expertise -- to become president of the United States. Elizabeth Holmes is now famous for her fraud. Who better to host the re-boot of "The Apprentice." And then?
"You Can't Touch This!"
Kira Peikoff was the editor-in-chief of Leaps.org from 2017 to 2021. As a journalist, her work has appeared in The New York Times, Newsweek, Nautilus, Popular Mechanics, The New York Academy of Sciences, and other outlets. She is also the author of four suspense novels that explore controversial issues arising from scientific innovation: Living Proof, No Time to Die, Die Again Tomorrow, and Mother Knows Best. Peikoff holds a B.A. in Journalism from New York University and an M.S. in Bioethics from Columbia University. She lives in New Jersey with her husband and two young sons. Follow her on Twitter @KiraPeikoff.