Bad Actors Getting Your Health Data Is the FBI’s Latest Worry
A hacker activating a 3D rendering of DNA data.
In February 2015, the health insurer Anthem revealed that criminal hackers had gained access to the company's servers, exposing the personal information of nearly 79 million patients. It's the largest known healthcare breach in history.
FBI agents worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks.
That year, the data of millions more would be compromised in one cyberattack after another on American insurers and other healthcare organizations. In fact, for the past several years, the number of reported data breaches has increased each year, from 199 in 2010 to 344 in 2017, according to a September 2018 analysis in the Journal of the American Medical Association.
The FBI's Edward You sees this as a worrying trend. He says hackers aren't just interested in your social security or credit card number. They're increasingly interested in stealing your medical information. Hackers can currently use this information to make fake identities, file fraudulent insurance claims, and order and sell expensive drugs and medical equipment. But beyond that, a new kind of cybersecurity threat is around the corner.
Mr. You and others worry that the vast amounts of healthcare data being generated for precision medicine efforts could leave the U.S. vulnerable to cyber and biological attacks. In the wrong hands, this data could be used to exploit or extort an individual, discriminate against certain groups of people, make targeted bioweapons, or give another country an economic advantage.
Precision medicine, of course, is the idea that medical treatments can be tailored to individuals based on their genetics, environment, lifestyle or other traits. But to do that requires collecting and analyzing huge quantities of health data from diverse populations. One research effort, called All of Us, launched by the U.S. National Institutes of Health last year, aims to collect genomic and other healthcare data from one million participants with the goal of advancing personalized medical care.
Other initiatives are underway by academic institutions and healthcare organizations. Electronic medical records, genetic tests, wearable health trackers, mobile apps, and social media are all sources of valuable healthcare data that a bad actor could potentially use to learn more about an individual or group of people.
"When you aggregate all of that data together, that becomes a very powerful profile of who you are," Mr. You says.
A supervisory special agent in the biological countermeasures unit within the FBI's weapons of mass destruction directorate, it's Mr. You's job to imagine worst-case bioterror scenarios and figure out how to prevent and prepare for them.
That used to mean focusing on threats like anthrax, Ebola, and smallpox—pathogens that could be used to intentionally infect people—"basically the dangerous bugs," as he puts it. In recent years, advances in gene editing and synthetic biology have given rise to fears that rogue, or even well-intentioned, scientists could create a virulent virus that's intentionally, or unintentionally, released outside the lab.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that."
While Mr. You is still tracking those threats, he's been traveling around the country talking to scientists, lawyers, software engineers, cyber security professionals, government officials and CEOs about new security threats—those posed by genetic and other biological data.
Emerging threats
Mr. You says one possible situation he can imagine is the potential for nefarious actors to use an individual's sensitive medical information to extort or blackmail that person.
"If a foreign source, especially a criminal one, has your biological information, then they might have some particular insights into what your future medical needs might be and exploit that," he says. For instance, "what happens if you have a singular medical condition and an outside entity says they have a treatment for your condition?" You could get talked into paying a huge sum of money for a treatment that ends up being bogus.
Or what if hackers got a hold of a politician or high-profile CEO's health records? Say that person had a disease-causing genetic mutation that could affect their ability to carry out their job in the future and hackers threatened to expose that information. These scenarios may seem far-fetched, but Mr. You thinks they're becoming increasingly plausible.
On a wider scale, Kavita Berger, a scientist at Gryphon Scientific, a Washington, D.C.-area life sciences consulting firm, worries that data from different populations could be used to discriminate against certain groups of people, like minorities and immigrants.
For instance, the advocacy group Human Rights Watch in 2017 flagged a concerning trend in China's Xinjiang territory, a region with a history of government repression. Police there had purchased 12 DNA sequencers and were collecting and cataloging DNA samples from people to build a national database.
"The concern is that this particular province has a huge population of the Muslim minority in China," Ms. Berger says. "Now they have a really huge database of genetic sequences. You have to ask, why does a police station need 12 next-generation sequencers?"
Also alarming is the potential that large amounts of data from different groups of people could lead to customized bioweapons if that data ends up in the wrong hands.
Eleonore Pauwels, a research fellow on emerging cybertechnologies at United Nations University's Centre for Policy Research, says new insights gained from genomic and other data will give scientists a better understanding of how diseases occur and why certain people are more susceptible to certain diseases.
"As you get more and more knowledge about the genomic picture and how the microbiome and the immune system of different populations function, you could get a much deeper understanding about how you could target different populations for treatment but also how you could eventually target them with different forms of bioagents," Ms. Pauwels says.
Economic competitiveness
Another reason hackers might want to gain access to large genomic and other healthcare datasets is to give their country a leg up economically. Many large cyber-attacks on U.S. healthcare organizations have been tied to Chinese hacking groups.
"This is a biological space race and we just haven't woken up to the fact that we're in this race."
"It's becoming clear that China is increasingly interested in getting access to massive data sets that come from different countries," Ms. Pauwels says.
A year after U.S. President Barack Obama conceived of the Precision Medicine Initiative in 2015—later renamed All of Us—China followed suit, announcing the launch of a 15-year, $9 billion precision health effort aimed at turning China into a global leader in genomics.
Chinese genomics companies, too, are expanding their reach outside of Asia. One company, WuXi NextCODE, which has offices in Shanghai, Reykjavik, and Cambridge, Massachusetts, has built an extensive library of genomes from the U.S., China and Iceland, and is now setting its sights on Ireland.
Another Chinese company, BGI, has partnered with Children's Hospital of Philadelphia and Sinai Health System in Toronto, and also formed a collaboration with the Smithsonian Institute to sequence all species on the planet. BGI has built its own advanced genomic sequencing machines to compete with U.S.-based Illumina.
Mr. You says having access to all this data could lead to major breakthroughs in healthcare, such as new blockbuster drugs. "Whoever has the largest, most diverse dataset is truly going to win the day and come up with something very profitable," he says.
Some direct-to-consumer genetic testing companies with offices in the U.S., like Dante Labs, also use BGI to process customers' DNA.
Experts worry that China could race ahead the U.S. in precision medicine because of Chinese laws governing data sharing. Currently, China prohibits the exportation of genetic data without explicit permission from the government. Mr. You says this creates an asymmetry in data sharing between the U.S. and China.
"This is a biological space race and we just haven't woken up to the fact that we're in this race," he said in January at an American Society for Microbiology conference in Washington, D.C. "We don't have access to their data. There is absolutely no reciprocity."
Protecting your data
While Mr. You has been stressing the importance of data security to anyone who will listen, the National Academies of Sciences, Engineering, and Medicine, which makes scientific and policy recommendations on issues of national importance, has commissioned a study on "safeguarding the bioeconomy."
In the meantime, Ms. Berger says organizations that deal with people's health data should assess their security risks and identify potential vulnerabilities in their systems.
As for what individuals can do to protect themselves, she urges people to think about the different ways they're sharing healthcare data—such as via mobile health apps and wearables.
"Ask yourself, what's the benefit of sharing this? What are the potential consequences of sharing this?" she says.
Mr. You also cautions people to think twice before taking consumer DNA tests. They may seem harmless, he says, but at the end of the day, most people don't know where their genetic information is going. "If your genetic sequence is taken, once it's gone, it's gone. There's nothing you can do about it."
Breakthrough therapies are breaking patients' banks. Key changes could improve access, experts say.
Single-treatment therapies are revolutionizing medicine. But insurers and patients wonder whether they can afford treatment and, if they can, whether the high costs are worthwhile.
CSL Behring’s new gene therapy for hemophilia, Hemgenix, costs $3.5 million for one treatment, but helps the body create substances that allow blood to clot. It appears to be a cure, eliminating the need for other treatments for many years at least.
Likewise, Novartis’s Kymriah mobilizes the body’s immune system to fight B-cell lymphoma, but at a cost $475,000. For patients who respond, it seems to offer years of life without the cancer progressing.
These single-treatment therapies are at the forefront of a new, bold era of medicine. Unfortunately, they also come with new, bold prices that leave insurers and patients wondering whether they can afford treatment and, if they can, whether the high costs are worthwhile.
“Most pharmaceutical leaders are there to improve and save people’s lives,” says Jeremy Levin, chairman and CEO of Ovid Therapeutics, and immediate past chairman of the Biotechnology Innovation Organization. If the therapeutics they develop are too expensive for payers to authorize, patients aren’t helped.
“The right to receive care and the right of pharmaceuticals developers to profit should never be at odds,” Levin stresses. And yet, sometimes they are.
Leigh Turner, executive director of the bioethics program, University of California, Irvine, notes this same tension between drug developers that are “seeking to maximize profits by charging as much as the market will bear for cell and gene therapy products and other medical interventions, and payers trying to control costs while also attempting to provide access to medical products with promising safety and efficacy profiles.”
Why Payers Balk
Health insurers can become skittish around extremely high prices, yet these therapies often accompany significant overall savings. For perspective, the estimated annual treatment cost for hemophilia exceeds $300,000. With Hemgenix, payers would break even after about 12 years.
But, in 12 years, will the patient still have that insurer? Therein lies the rub. U.S. payers, are used to a “pay-as-you-go” model, in which the lifetime costs of therapies typically are shared by multiple payers over many years, as patients change jobs. Single treatment therapeutics eliminate that cost-sharing ability.
"As long as formularies are based on profits to middlemen…Americans’ healthcare costs will continue to skyrocket,” says Patricia Goldsmith, the CEO of CancerCare.
“There is a phenomenally complex, bureaucratic reimbursement system that has grown, layer upon layer, during several decades,” Levin says. As medicine has innovated, payment systems haven’t kept up.
Therefore, biopharma companies begin working with insurance companies and their pharmacy benefit managers (PBMs), which act on an insurer’s behalf to decide which drugs to cover and by how much, early in the drug approval process. Their goal is to make sophisticated new drugs available while still earning a return on their investment.
New Payment Models
Pay-for-performance is one increasingly popular strategy, Turner says. “These models typically link payments to evidence generation and clinically significant outcomes.”
A biotech company called bluebird bio, for example, offers value-based pricing for Zynteglo, a $2.8 million possible cure for the rare blood disorder known as beta thalassaemia. It generally eliminates patients’ need for blood transfusions. The company is so sure it works that it will refund 80 percent of the cost of the therapy if patients need blood transfusions related to that condition within five years of being treated with Zynteglo.
In his February 2023 State of the Union speech, President Biden proposed three pilot programs to reduce drug costs. One of them, the Cell and Gene Therapy Access Model calls on the federal Centers for Medicare & Medicaid Services to establish outcomes-based agreements with manufacturers for certain cell and gene therapies.
A mortgage-style payment system is another, albeit rare, approach. Amortized payments spread the cost of treatments over decades, and let people change employers without losing their healthcare benefits.
Only about 14 percent of all drugs that enter clinical trials are approved by the FDA. Pharma companies, therefore, have an exigent need to earn a profit.
The new payment models that are being discussed aren’t solutions to high prices, says Bill Kramer, senior advisor for health policy at Purchaser Business Group on Health (PBGH), a nonprofit that seeks to lower health care costs. He points out that innovative pricing models, although well-intended, may distract from the real problem of high prices. They are attempts to “soften the blow. The best thing would be to charge a reasonable price to begin with,” he says.
Instead, he proposes making better use of research on cost and clinical effectiveness. The Institute for Clinical and Economic Review (ICER) conducts such research in the U.S., determining whether the benefits of specific drugs justify their proposed prices. ICER is an independent non-profit research institute. Its reports typically assess the degrees of improvement new therapies offer and suggest prices that would reflect that. “Publicizing that data is very important,” Kramer says. “Their results aren’t used to the extent they could and should be.” Pharmaceutical companies tend to price their therapies higher than ICER’s recommendations.
Drug Development Costs Soar
Drug developers have long pointed to the onerous costs of drug development as a reason for high prices.
A 2020 study found the average cost to bring a drug to market exceeded $1.1 billion, while other studies have estimated overall costs as high as $2.6 billion. The development timeframe is about 10 years. That’s because modern therapeutics target precise mechanisms to create better outcomes, but also have high failure rates. Only about 14 percent of all drugs that enter clinical trials are approved by the FDA. Pharma companies, therefore, have an exigent need to earn a profit.
Skewed Incentives Increase Costs
Pricing isn’t solely at the discretion of pharma companies, though. “What patients end up paying has much more to do with their PBMs than the actual price of the drug,” Patricia Goldsmith, CEO, CancerCare, says. Transparency is vital.
PBMs control patients’ access to therapies at three levels, through price negotiations, pricing tiers and pharmacy management.
When negotiating with drug manufacturers, Goldsmith says, “PBMs exchange a preferred spot on a formulary (the insurer’s or healthcare provider’s list of acceptable drugs) for cash-base rebates.” Unfortunately, 25 percent of the time, those rebates are not passed to insurers, according to the PBGH report.
Then, PBMs use pricing tiers to steer patients and physicians to certain drugs. For example, Kramer says, “Sometimes PBMs put a high-cost brand name drug in a preferred tier and a lower-cost competitor in a less preferred, higher-cost tier.” As the PBGH report elaborates, “(PBMs) are incentivized to include the highest-priced drugs…since both manufacturing rebates, as well as the administrative fees they charge…are calculated as a percentage of the drug’s price.
Finally, by steering patients to certain pharmacies, PBMs coordinate patients’ access to treatments, control patients’ out-of-pocket costs and receive management fees from the pharmacies.
Therefore, Goldsmith says, “As long as formularies are based on profits to middlemen…Americans’ healthcare costs will continue to skyrocket.”
Transparency into drug pricing will help curb costs, as will new payment strategies. What will make the most impact, however, may well be the development of a new reimbursement system designed to handle dramatic, breakthrough drugs. As Kramer says, “We need a better system to identify drugs that offer dramatic improvements in clinical care.”
In today's podcast episode, law professor Gaia Bernstein talks about the challenges of keeping control over our thoughts and actions, even when some powerful forces are pushing in the other direction.
Each afternoon, kids walk through my neighborhood, on their way back home from school, and almost all of them are walking alone, staring down at their phones. It's a troubling site. This daily parade of the zombie children just can’t bode well for the future.
That’s one reason I felt like Gaia Bernstein’s new book was talking directly to me. A law professor at Seton Hall, Gaia makes a strong argument that people are so addicted to tech at this point, we need some big, system level changes to social media platforms and other addictive technologies, instead of just blaming the individual and expecting them to fix these issues.
Gaia’s book is called Unwired: Gaining Control Over Addictive Technologies. It’s fascinating and I had a chance to talk with her about it for today’s podcast. At its heart, our conversation is really about how and whether we can maintain control over our thoughts and actions, even when some powerful forces are pushing in the other direction.
Listen on Apple | Listen on Spotify | Listen on Stitcher | Listen on Amazon | Listen on Google
We discuss the idea that, in certain situations, maybe it's not reasonable to expect that we’ll be able to enjoy personal freedom and autonomy. We also talk about how to be a good parent when it sometimes seems like our kids prefer to be raised by their iPads; so-called educational video games that actually don’t have anything to do with education; the root causes of tech addictions for people of all ages; and what kinds of changes we should be supporting.
Gaia is Seton’s Hall’s Technology, Privacy and Policy Professor of Law, as well as Co-Director of the Institute for Privacy Protection, and Co-Director of the Gibbons Institute of Law Science and Technology. She’s the founding director of the Institute for Privacy Protection. She created and spearheaded the Institute’s nationally recognized Outreach Program, which educated parents and students about technology overuse and privacy.
Professor Bernstein's scholarship has been published in leading law reviews including the law reviews of Vanderbilt, Boston College, Boston University, and U.C. Davis. Her work has been selected to the Stanford-Yale Junior Faculty Forum and received extensive media coverage. Gaia joined Seton Hall's faculty in 2004. Before that, she was a fellow at the Engelberg Center of Innovation Law & Policy and at the Information Law Institute of the New York University School of Law. She holds a J.S.D. from the New York University School of Law, an LL.M. from Harvard Law School, and a J.D. from Boston University.
Gaia’s work on this topic is groundbreaking I hope you’ll listen to the conversation and then consider pre-ordering her new book. It comes out on March 28.
