Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
The largest ever seizure of fentanyl in the United States – 254 pounds of the white powder, enough to kill 1 in 3 Americans by overdose – was found under a shipment of cucumbers recently.
A policing approach alone is insufficient to take on the opioid crisis.
Those types of stories barely make the headlines any more, in part because illicit drugs are no longer just handsold by drug dealers; these sales have gone online. The neighborhood dealer faces the same evolving environment as other retailers and may soon go the way of Sears.
But opioids themselves are not going away. I could make an opioid purchase online in about 30 seconds and have it sent to my door, says Joe Smyser. The epidemiologist and president of The Public Good Projects isn't bragging, he's simply stating a fact about the opioid crisis that has struck the United States. The U.S Drug Enforcement Agency, social media companies, and some foreign governments have undertaken massive efforts to shut down sites selling illegal drugs, and they have gotten very good at it, shuttering most within a day of their opening.
But it's a Whac-A-Mole situation in which new ones pop up as quickly as older ones are closed; they are promoted through hashtags, social media networks, and ubiquitous email spam to lure visitors to a website or call a WhatsApp number to make a purchase. The online disruption by law enforcement has become simply another cost of doing business for drug sellers. Fentanyl, and similar analogues created to evade detection and the law, are at the center of it. Small amounts can be mixed with other "safer" opioids to get a high, and the growth of online sales have all contributed to the surge of opioid-related deaths: about 17,500 in 2006; 47,600 in 2017; and a projected 82,000 a year by 2025.
All of this has occurred even while authorities have been cracking down on the prescribing of opioids, and prescription-related deaths have declined. Clearly a policing approach alone is insufficient to take on the opioid crisis.
Building the Tools
The Public Good Projects (PGP), a nonprofit organization founded by concerned experts, was set up to better understand public health issues in this new online environment and better shape responses. The first step is to understand what people are hearing and the language they are using by monitoring social media and other forms of public communications. "We're collecting data from every publicly available media source that we can get our hands on. It's broadcast television data, it's radio, it's print newspapers and magazines. And then it's online data; it's online video, social media, blogs, websites," Smyser explains.
The purpose was to better understand the opioid crisis and find out if there were differences between affected rural and urban populations.
"Then our job is to create queries, create searches of all of that data so that we find what is the information that Americans are exposed to about a topic, and then what … Americans [are] sharing amongst themselves about that same topic."
He says it's the same thing business has been doing for years to monitor their "brand health" and be prepared for possible negative issues that might arise about their products and services. He believes PGP is the first group to use those tools for public health.
Looking At Opioids
PGP's work on opioids started with a contract from the Substance Abuse and Mental Health Administration (SAMHSA) through the National Science Foundation. The purpose was simply to better understand the opioid crisis in the United States and in particular find out if there were differences between affected rural and urban populations. A team of data scientists, public health professionals, and cultural anthropologists needed several months to sort out and organize the algorithms from the sheer volume of data.
Drug use is particularly rich in slang, where a specific drug or way of using it can be referred to in multiple ways in different towns and social groups. Traditional media often uses clinical terms, Twitter shorthand, and all of that has to be structured and integrated "so that it isn't just spitting out data that is gobbledygook and of no use to anyone," says Smyser.
The data they gather is both cumulative and in real time, tabulated and visually represented in constantly morphing hashtag and word clouds where the color and size of the word indicates the source and volume of its use.
Popular hashtags on Twitter relating to the opioid crisis.
(Credit: The Public Good Projects)
The visual presentation of data helps to understand what different groups are saying and how they are saying it. For example, compare the hashtag and word clouds. Younger people are more likely to use the hashtags of Twitter, while older people are more likely to use older forms of media, and that is reflected in their concerns and language in those clouds.
Popular words relating to the opioid crisis gathered from older forms of media.
(Credit: The Public Good Projects)
A Ping map shows the origin of messages, while a Spidey map shows the network of how messages are being forwarded and shared among people. These sets of data can be overlaid with zip code, census, and socioeconomic data to provide an even deeper sense of who is saying what. And when integrated together, they provide clues to topics and language that might best engage people in each niche.
A Ping map showing the origin of messages around the opioid crisis.
(Credit: The Public Good Projects)
Opioids Speak
One thing that quickly became apparent to PGP in monitoring the media is that "over half of the information that the American public is exposed to about opioids is a very distant policy debate," says Smyser.
It is political pronouncements in DC, the legal system going after pharmaceutical companies that promoted prescription opioids for pain relief (and more), or mandatory prison terms for offenders. Relatively little is about treatment, the impact on families and communities, and what people can do themselves. That is particularly important in light of another key finding: residents of "Trump-land," the rural areas that supported the president and are being ravaged by opioids, talk about the problem and solutions very differently from urban areas.
"In rural communities there is usually a huge emphasis on self-reliance, and we take care of each other; that's why we enjoy living here. We are a neighborhood, we come together and we fix our own problems," according to Smyser.
In contrast, urban communities tend to be more transient, less likely to live in multigenerational households and neighborhoods, and look to formal institutions rather than themselves for solutions. "The message that we're sending people is one where there is really no role whatsoever for self-efficacy...we're giving them nothing to do" to help solve the problem themselves, says Smyser. "In fact, I could argue it is reducing self-efficacy."
Residents of "Trump-land," the rural areas that supported the president and are being ravaged by opioids, talk about the problem and solutions very differently from urban areas.
The opioid crisis is complex and improving the situation will be too. Smyser believes a top-down policing approach alone will not work; it is better to provide front-line public health officers at the state and local level with more and current intelligence so they can respond in their communities.
"I think that would be enormously impactful. But right now, we just don't have that service." SAMHSA declined multiple requests to discuss this project paid for with federal money. A spokesman concluded with: "That project occurred under the previous administration, and we did not have a direct relationship with PGP. As a result, I am unable to comment on the project."
The Milken Institute Center for Public Health, a think tank that is working to find solutions to the opioid epidemic, had an upbeat response. Director Sabrina Spitaletta said, "PGP's work to provide real-time data that monitors topics of high concern in public health has been very helpful to many of the front-line organizations working to combat this crisis."
Can You Trust Your Gut for Food Advice?
I recently got on the scale to weigh myself, thinking I've got to eat better. With so many trendy diets today claiming to improve health, from Keto to Paleo to Whole30, it can be confusing to figure out what we should and shouldn't eat for optimal nutrition.
A number of companies are now selling the concept of "personalized" nutrition based on the genetic makeup of your individual gut bugs.
My next thought was: I've got to lose a few pounds.
Consider a weird factoid: In addition to my fat, skin, bone and muscle, I'm carrying around two or three pounds of straight-up bacteria. Like you, I am the host to trillions of micro-organisms that live in my gut and are collectively known as my microbiome. An explosion of research has occurred in the last decade to try to understand exactly how these microbial populations, which are unique to each of us, may influence our overall health and potentially even our brains and behavior.
Lots of mysteries still remain, but it is established that these "bugs" are crucial to keeping our body running smoothly, performing functions like stimulating the immune system, synthesizing important vitamins, and aiding digestion. The field of microbiome science is evolving rapidly, and a number of companies are now selling the concept of "personalized" nutrition based on the genetic makeup of your individual gut bugs. The two leading players are Viome and DayTwo, but the landscape includes the newly launched startup Onegevity Health and others like Thryve, which offers customized probiotic supplements in addition to dietary recommendations.
The idea has immediate appeal – if science could tell you exactly what to make for lunch and what to avoid, you could forget about the fad diets and go with your own bespoke food pyramid. Wondering if the promise might be too good to be true, I decided to perform my own experiment.
Last fall, I sent the identical fecal sample to both Viome (I paid $425, but the price has since dropped to $299) and DayTwo ($349). A couple of months later, both reports finally arrived, and I eagerly opened each app to compare their recommendations.
First, I examined my results from Viome, which was founded in 2016 in Cupertino, Calif., and declares without irony on its website that "conflicting food advice is now obsolete."
I learned I have "average" metabolic fitness and "average" inflammatory activity in my gut, which are scores that the company defines based on a proprietary algorithm. But I have "low" microbial richness, with only 62 active species of bacteria identified in my sample, compared with the mean of 157 in their test population. I also received a list of the specific species in my gut, with names like Lactococcus and Romboutsia.
But none of it meant anything to me without actionable food advice, so I clicked through to the Recommendations page and found a list of My Superfoods (cranberry, garlic, kale, salmon, turmeric, watermelon, and bone broth) and My Foods to Avoid (chickpeas, kombucha, lentils, and rice noodles). There was also a searchable database of many foods that had been categorized for me, like "bell pepper; minimize" and "beef; enjoy."
"I just don't think sufficient data is yet available to make reliable personalized dietary recommendations based on one's microbiome."
Next, I looked at my results from DayTwo, which was founded in 2015 from research out of the Weizmann Institute of Science in Israel, and whose pitch to consumers is, "Blood sugar made easy. The algorithm diet personalized to you."
This app had some notable differences. There was no result about my metabolic fitness, microbial richness, or list of the species in my sample. There was also no list of superfoods or foods to avoid. Instead, the app encouraged me to build a meal by searching for foods in their database and combining them in beneficial ways for my blood sugar. Two slices of whole wheat bread received a score of 2.7 out of 10 ("Avoid"), but if combined with one cup of large curd cottage cheese, the score improved to 6.8 ("Limit"), and if I added two hard-boiled eggs, the score went up to 7.5 ("Good").
Perusing my list of foods with "Excellent" scores, I noticed some troubling conflicts with the other app. Lentils, which had been a no-no according to Viome, received high marks from DayTwo. Ditto for Kombucha. My purported superfood of cranberry received low marks. Almonds got an almost perfect score (9.7) while Viome told me to minimize them. I found similarly contradictory advice for foods I regularly eat, including navel oranges, peanuts, pork, and beets.
Contradictory dietary guidance that Kira Peikoff received from Viome (left) and DayTwo from an identical sample.
To be sure, there was some overlap. Both apps agreed on rice noodles (bad), chickpeas (bad), honey (bad), carrots (good), and avocado (good), among other foods.
But still, I was left scratching my head. Which set of recommendations should I trust, if either? And what did my results mean for the accuracy of this nascent field?
I called a couple of experts to find out.
"I have worked on the microbiome and nutrition for the last 20 years and I would be absolutely incapable of finding you evidence in the scientific literature that lentils have a detrimental effect based on the microbiome," said Dr. Jens Walter, an Associate Professor and chair for Nutrition, Microbes, and Gastrointestinal Health at the University of Alberta. "I just don't think sufficient data is yet available to make reliable personalized dietary recommendations based on one's microbiome. And even if they would have proprietary algorithms, at least one of them is not doing it right."
There is definite potential for personalized nutrition based on the microbiome, he said, but first, predictive models must be built and standardized, then linked to clinical endpoints, and tested in a large sample of healthy volunteers in order to enable extrapolations for the general population.
"It is mindboggling what you would need to do to make this work," he observed. "There are probably hundreds of relevant dietary compounds, then the microbiome has at least a hundred relevant species with a hundred or more relevant genes each, then you'd have to put all this together with relevant clinical outcomes. And there's a hundred-fold variation in that information between individuals."
However, Walter did acknowledge that the companies might be basing their algorithms on proprietary data that could potentially connect all the dots. I reached out to them to find out.
Amir Golan, the Chief Commercial Officer of DayTwo, told me, "It's important to emphasize this is a prediction, as the microbiome field is in a very early stage of research." But he added, "I believe we are the only company that has very solid science published in top journals and we can bring very actionable evidence and benefit to our uses."
He was referring to pioneering work out of the Weizmann Institute that was published in 2015 in the journal Cell, which logged the glycemic responses of 800 people in response to nearly 50,000 meals; adding information about the subjects' microbiomes enabled more accurate glycemic response predictions. Since then, Golan said, additional trials have been conducted, most recently with the Mayo Clinic, to duplicate the results, and other studies are ongoing whose results have not yet been published.
He also pointed out that the microbiome was merely one component that goes into building a client's profile, in addition to medical records, including blood glucose levels. (I provided my HbA1c levels, a measure of average blood sugar over the previous several months.)
"We are not saying we want to improve your gut microbiome. We provide a dynamic tool to help guide what you should eat to control your blood sugar and think about combinations," he said. "If you eat one thing, or with another, it will affect you in a different way."
Viome acknowledged that the two companies are taking very different approaches.
"DayTwo is primarily focused on the glycemic response," Naveen Jain, the CEO, told me. "If you can only eat butter for rest of your life, you will have no glycemic response but will probably die of a heart attack." He laughed. "Whereas we came from very different angle – what is happening inside the gut at a microbial level? When you eat food like spinach, how will that be metabolized in the gut? Will it produce the nutrients you need or cause inflammation?"
He said his team studied 1000 people who were on continuous glucose monitoring and fed them 45,000 meals, then built a proprietary data prediction model, looking at which microbes existed and how they actively broke down the food.
Jain pointed out that DayTwo sequences the DNA of the microbes, while Viome sequences the RNA – the active expression of DNA. That difference, in his opinion, is key to making accurate predictions.
"DNA is extremely stable, so when you eat any food and measure the DNA [in a fecal sample], you get all these false positives--you get DNA from plant food and meat, and you have no idea if those organisms are dead and simply transient, or actually exist. With RNA, you see what is actually alive in the gut."
More contradictory food advice from Viome (left) and DayTwo.
Note that controversy exists over how it is possible with a fecal sample to effectively measure RNA, which degrades within minutes, though Jain said that his company has the technology to keep RNA stable for fourteen days.
Viome's approach, Jain maintains, is 90 percent accurate, based on as-yet unpublished data; a patent was filed just last week. DayTwo's approach is 66 percent accurate according to the latest published research.
Natasha Haskey, a registered dietician and doctoral student conducting research in the field of microbiome science and nutrition, is skeptical of both companies. "We can make broad statements, like eat more fruits and vegetables and fiber, but when it comes to specific foods, the science is just not there yet," she said. "I think there is a future, and we will be doing that someday, but not yet. Maybe we will be closer in ten years."
Professor Walter wholeheartedly agrees with Haskey, and suggested that if people want to eat a gut-healthy diet, they should focus on beneficial oils, fruits and vegetables, fish, a variety of whole grains, poultry and beans, and limit red meat and cheese, as well as avoid processed meats.
"These services are far over the tips of their science skis," Arthur Caplan, the founding head of New York University's Division of Medical Ethics, said in an email. "We simply don't know enough about the gut microbiome, its fluctuations and variability from person to person to support general [direct-to-consumer] testing. This is simply premature. We need standards for accuracy, specificity, and sensitivity, plus mandatory competent counseling for all such testing. They don't exist. Neither should DTC testing—yet."
Meanwhile, it's time for lunch. I close out my Viome and DayTwo apps and head to the kitchen to prepare a peanut butter sandwich. My gut tells me I'll be just fine.
Kira Peikoff was the editor-in-chief of Leaps.org from 2017 to 2021. As a journalist, her work has appeared in The New York Times, Newsweek, Nautilus, Popular Mechanics, The New York Academy of Sciences, and other outlets. She is also the author of four suspense novels that explore controversial issues arising from scientific innovation: Living Proof, No Time to Die, Die Again Tomorrow, and Mother Knows Best. Peikoff holds a B.A. in Journalism from New York University and an M.S. in Bioethics from Columbia University. She lives in New Jersey with her husband and two young sons. Follow her on Twitter @KiraPeikoff.