23andMe Hacked: Genetic Privacy and HIPAA

I’m about a month late to the initial revelation that 23andMe got hacked, but more has been coming out over the month. This is a big issue given a bunch of the breech was grabbing whole extended family trees, which often show a certain race or culture.

23andMe blimp (CC BY-SA 2.0 Deed John Murphy)

The hack was done via credential stuffing: basically trying duplicate logins from other sites that were hacked, which leads us to a technological privacy aspect. But as a whole, what seems different is the type of data taken, as our DNA is more private than a lot of other hacked data.

I will summarize the story, and look at 4 issues: general or technical privacy, genetic privacy & family relationships, no-HIPAA healthcare, and privacy is one way.

News of the 23andMe Hack

Here is a news story from Reuters:

Genetics testing company 23andMe sent emails to several customers to inform them of a breach into the “DNA Relatives” feature that allowed them to compare ancestry information with users worldwide.

After a hacker advertised millions of “pieces of data” stolen from 23andMe on an online forum this month, the company had said it was working with federal law enforcement and forensic experts to investigate it.

In the new emails, a copy of which was seen by Reuters, 23andMe told customers there was a breach of one or more accounts connected to theirs through the “DNA Relatives” feature.

That feature allows users around the world to connect and share their personal data including relationship labels, ancestry reports, and matching DNA segments, location, birth year, and family names, among other things.

Another story noted that over 4 million users’ data was hacked.

General Privacy Concerns about the 23andMe Hack

A lot of this can be issues that any online data can have. The actual method mirrored other kind of data hacks.

The hack of the world’s top hacking company in 2020 reminded us how futile such online privacy is. Then I said: “This means nothing online can really be private if someone really wants to find it. Obviously, most of us won’t have this degree of hacking going in to find out all our activity. But, imagine an opposition leader under Putin or a Uighur leader in China, and how this loss of any possible privacy might negatively affect them. We should want some privacy even if we don’t think we will need it. At least basic privacy protections are a condition for achieving human flourishing. The constant erasure of privacy can be an obstacle to our flourishing.”

Genetic Privacy and Family Relationships

In my doctoral thesis on privacy, one thing I noted early in principles was a difference between Catholic & secular limits on Privacy. Catholicism tends to view the family as the unit of society, so the default limit for privacy. While the modern USA views the individual as the basic unit. The way familial genetics mirrors that reminds secular Western thinkers that maybe a return to the family as somewhat of the basic unit is good. This hack was specifically of the users who did not protect their data, then of those who were connected to them via family relationships. This is an area for privacy to be concerned about in our increasingly interconnected world.

The Issue of Non-HIPAA Healthcare

In the USA, your direct medical provider and your insurance company are regulated by HIPAA requiring relatively robust privacy, but direct-to-consumer products do not have the same requirement. HIPAA is not perfect but does protect our medical privacy if within official channels. Things like 23andMe are not covered under this, thus they will likely only suffer reputation damage, and not any fine or government-imposed restriction.

The most egregious case of this was FLO, which was a period tracking app that promised not to sell data, but was caught selling data to Facebook for better ad targeting. What was their punishment? Flo had to start an independent review of its privacy practices and obtain app users’ consent before sharing their health information. That’s all. Not even a slap on the wrist. 2.5 years after the FLO case, I am still surprised.

We should really consider some kind of privacy rules for these borderline-health companies like FLO or 23 andMe. Maybe something like HIPAA Jr. rather than a situation where there are no legal consequences for anti-privacy misbehavior.

Privacy: Once Lost, No Return

One final issue of privacy that genetic cases like 23andMe highlight is the idea that once lost, privacy can’t easily be regained. Thus, privacy laws need to tend towards far more robustness than the average person wants. Once one’s DNA is posted online, there is no realistic way to regain privacy over that. This one-way relationship emphasizes the need for stronger privacy regulations.


23andMe is one of many privacy breaches that have recently come about. I think genetic privacy is a particularly serious area here where we need to be extra careful, but privacy regulation is particularly poor for non-HIPAA healthcare. Genetic privacy also reminds us that the family is the basic unit of society and how privacy cannot be regained once lost. Let’s work for more ethical privacy regulation.

Liked it? Take a second to support Fr. Matthew P. Schneider, LC on Patreon!
Become a patron at Patreon!

Add your voice to the discussion