DNA Testing
Commercial DNA testing providers market their at-home tests for people to find out about their ancestry, discover relatives, and check for genetic markers that might predispose them to various health issues. However, these commercial tests are not subject to any privacy regulations in the United States and are a serious threat to personal privacy.
Commercial DNA Tests
Genetic test kits are readily available from various commercial vendors. These kits enable a person to send a sample containing their unique deoxyribonucleic acid (DNA) to a testing laboratory for sequencing. Consumers are marketed the opportunity to learn about their ancestry, identify their unique genetic traits, and check for genetic predisposition to serious or chronic health conditions. Since these companies are not healthcare providers, neither the submitted samples nor the results are subject to HIPAA or other federal privacy laws. The companies that perform this testing can therefore sell the results to anyone, including pharmaceutical and insurance companies. While health insurance companies cannot discriminate based on genetic information (thanks to HIPAA and other regulations), life insurance, disability insurance, and long-term care insurance providers can legally deny a person coverage based on their genetic information. Such a company might refuse to provide coverage to someone who is at high risk for developing some kind of serious illness.1
In practice, there is little regulation for companies that offer direct-to-consumer DNA testing services. Consequently, these companies have developed vast databases containing individuals’ genetic information. Worse, companies that offer DNA tests are not required to obtain the consent of the person whose DNA is collected for the test. There is currently no federal law that prohibits someone from collecting another person’s DNA and sending it away to be tested without that other person’s knowledge. Some states have laws against this practice, but enforcement varies.2
DNA and Law Enforcement
The Federal Bureau of Investigation (FBI) maintains CODIS, the Combined DNA Index System. This database contains genetic information collected from convicted criminals (and potentially arrestees, regardless of future conviction) and can be checked against DNA found at crime scenes to identify suspects who have had a prior law enforcement encounter. A process called Investigative Genetic Genealogy (IGG) combines the CODIS database with information obtained from commercial genealogy sources – which may include data from consumer DNA tests – to provide broader matching for law enforcement purposes.2
IGG has a number of serious ethical issues. DNA-based suspicion of siblings, children, parents, cousins, and other relatives becomes possible if any one of these relatives happens to have genetic information in a database. By combining a DNA family match with family tree information, police can narrow down the potential list of suspects using other information, like the approximate age or geographic location provided by a witness. While this technique has been used successfully to prosecute cold cases, there is always a risk of identifying the wrong suspect. Furthermore, since court records are typically public, there is a risk that sensitive health information about a person who is merely related to a suspect might be released.3 Also, while solving cold cases might sound like a good idea at first glance, remember that nobody knows how many federal crimes there are.4 It is possible that some future prosecutor could go back and try to charge people with ridiculous things based on information gathered through IGG.
Sale of Genetic Data in Bankruptcy
At this time of this writing, consumer DNA testing company 23andMe Holding Co. is in Chapter 11 bankruptcy.5 The company hasn’t been able to recover fully from a massive data breach in 2023, in which private information about roughly half its customers was stolen,6 nor has it found a way to convince customers to repeat DNA testing more than once.7 Since there is no way to know what will happen to the data 23andMe currently possesses – as the final disposition is a matter for the bankruptcy court to decide – the South Carolina Attorney General recommends that customers of 23andMe close their accounts and request deletion of their data and DNA samples.8
Mitigation
The best way to mitigate the risk of commercial DNA testing is not to submit a test sample. It is also not a good idea to give these tests as a gift to any relatives, since the relative’s DNA could expose information about you. If you believe you may risk a specific disease risk, work with a healthcare provider to obtain the appropriate tests through HIPAA-protected channels. While this approach won’t protect against a breach involving genetic data, or even against the potential that someone else tests your DNA without your consent, it is at least a good first start. Don’t voluntarily give your DNA to a company.
Notes and References
-
Edmund Coby and R.J. Cross. The privacy concerns of genetic test kits. United States Public Interest Research Group. December 19, 2024. ↩
-
Privacy in Genomics. National Human Genome Research Institute. February 6, 2024. ↩↩
-
Nina F. de Groot, Britta C. van Beers, and Gerben Meynen. “Commercial DNA tests and police investigations: a broad bioethical perspective.” Journal of Medical Ethics 47(12): 788-795. September 11, 2021. ↩
-
Casey J. Bastian. “How Many Federal Crimes Are There?.” Criminal Legal News. August 15, 2022. ↩
-
23andMe Holding Co.. Kroll Restructuring. 2025. ↩
-
Edward Helmore. “Genetic testing firm 23andMe admits hackers accessed DNA data of 7m users.” The Guardian. December 5, 2023. ↩
-
Joe Hernandez. “23andMe is filing for bankruptcy. Here’s what it means for your genetic data.” NPR. March 24, 2025. ↩
-
Consumer Alert: Attorney General Alan Wilson says South Carolinians should consider deleting 23andMe accounts to protect personal data. South Carolina Attorney General. March 25, 2025. ↩
