Earlier this month, the direct-to-consumer genetic testing company 23andMe issued a security alert after the genetic ancestry information of its customers was stolen and listed for sale on hacking forums. A high-ranking member of the Senate Committee on Health, Education, Labor, and Pensions is demanding answers as to how such large-scale data theft was possible and what data protection measures 23andMe had in place.

According to 23andMe, its investigation into a security breach found no evidence to indicate its systems were compromised and it concluded that data was stolen in a credential stuffing attack. Credential stuffing involves taking usernames and passwords stolen in a breach on one platform and using those usernames and passwords to try to access accounts on another platform. These attacks are made possible due to users reusing usernames and passwords on multiple platforms.

A credential stuffing attack suggests users of the platform are at fault for the exposure of their data due to poor password practices; however, that has not prevented multiple lawsuits from being filed alleging 23andMe was at fault. More than a dozen class action lawsuits have now been filed against 23andMe over the data exposure and seek damages and court orders compelling 23andMe to improve data security practices. The lawsuits raise the question of whether 23andMe should have done more to protect user information.

The scale of the data breach and the highly sensitive nature of the stolen data are a big cause of concern. 1.3 million users of the platform had some of their sensitive information scraped from the site and that information has been offered for sale on the dark web, including highly sensitive information about genetic ancestry. One dataset offered for sale claims to include “Ashkenazi DNA Data of Celebrities.” The recent events in Israel-Gaza, which have drawn in more than 50 hacktivist groups so far according to an analysis by security researcher Jeremiah Fowler and Website Planet, emphasize the potential for harm from the sale of that information. As one commentator on the listing pointed out, “Crazy, this could be used by Nazis.”

Sen. Bill Richards (R-LA) wrote to 23andMe CEO, Anne Wojcicki, to express his “significant concern” about the data breach, the highly sensitive nature of the stolen data, and the potential for harm. “Your company’s own website describes the potential negative health implications of association with Ashkenazi Jewish ancestry, namely incidence of Gaucher disease, Canavan disease, Tay-Sachs disease, Crohn’s disease, and breast, ovarian, and prostate cancer,” wrote Sen Richards. “Such information in the hands of employers, potential employers, foreign governments, hostile actors, and others could be used to discriminate against individuals associated with the group.”

23andMe has more than 14 million users and the information of 1.3 million of those users was scraped from its DNA Relatives feature – around 9.3% of its users – which naturally prompts questions about the precautions 23andMe had in place to prevent such large-scale data theft. Sen. Richards asked 11 questions about the breach, the notifications to users, and what is being done to remediate the impact of the data breach and prevent similar breaches in the future.

Sen. Richards also wants to know about the regulatory and contractual obligations and considerations that 23andMe is subject to a holder of individual genetic and phenotype data, 23andMe’s data protection practices and security features that appear to have been so easily circumvented, whether audits of its privacy and security protocols are conducted, why individual users are given access to others’ genetic information and profiles, and what search tools and algorithms 23andMe uses to allow large-scale downloads of user data based on specific demographics.

The breach appears to have occurred by compromising a few hundred accounts, yet through those accounts and the DNA Relatives feature the hackers were able to scrape vast amounts of data. Sen. Richards seeks answers on how that was possible, and in response to 23andMe’s statement that the hackers violated its terms of service, how many times it has discovered an entity or an individual violated those terms in the past year, and whether there are any consequences to such violations.

Sen. Richards has asked for responses to each question by November 3, 2023.

The post Senate HELP Committee Senator Demands Answers from 23andMe about Data Breach appeared first on HIPAA Journal.