When a Florida woman complained after seeing the paternity test results of thousands of people online, federal regulators told her they didn’t have jurisdiction over the breach -- or fitness trackers or health apps, for that matter.
This story was co-published with the Washington Post.
Jacqueline Stokes spotted the home paternity test at her local drugstore in Florida and knew she had to try it. She had no doubts for her own family, but as a cybersecurity consultant with an interest in genetics, she couldn’t resist the latest advance.
At home, she carefully followed the instructions, swabbing inside the mouths of her husband and her daughter, placing the samples in the pouch provided and mailing them to a lab.
Days later, Stokes went online to get the results. Part of the lab’s website address caught her attention, and her professional instincts kicked in. By tweaking the URL slightly, a sprawling directory appeared that gave her access to the test results of some 6,000 other people.
The site was taken down after Stokes complained on Twitter. But when she contacted the Department of Health and Human Services about the seemingly obvious violation of patient privacy, she got a surprising response: Officials couldn’t do anything about the breach.
The Health Insurance Portability and Accountability Act, a landmark 1996 patient-privacy law, only covers patient information kept by health providers, insurers and data clearinghouses, as well as their business partners. At-home paternity tests fall outside the law’s purview. For that matter, so do wearables like Fitbit that measure steps and sleep, testing companies like 23andMe, and online repositories where individuals can store their health records.
In several instances, the privacy of people using these newer services has been compromised, causing embarrassment or legal repercussions.
In 2011, for instance, an Australian company failed to properly secure details of hundreds of paternity and drug tests, making them accessible through a Google search. The company said that it quickly fixed the problem.
That same year, some users of the Fitbit tracker found that data they entered in their online profiles about their sexual activity and its intensity — to help calculate calories burned — was accessible to anyone. Fitbit quickly hid the information.
And last year, a publicly accessible genealogy database was used by police to look for possible suspects in a 1996 Idaho murder. After finding a “very good match” with the DNA of semen found at the crime scene, police obtained a search warrant to get the person’s name. After investigating further, authorities got another warrant ordering the man’s son to provide a DNA sample, which cleared him of involvement.
The incident spooked genealogy aficionados; AncestryDNA, which ran the online database, pulled it this spring.
“When you publicly make available your genetic information, you essentially are signing a waiver to your past and future medical records,” said Erin Murphy, a professor at New York University School of Law.
The true extent of the problem is unclear because many companies don’t know when the health information they store has been accessed inappropriately, experts say. A range of potentially sensitive data is at risk, including medical diagnoses, disease markers in a person’s genes and children’s paternity.
What is known is that the Office for Civil Rights, the HHS agency that enforces HIPAA, hasn’t taken action on 60 percent of the complaints it has received because they were filed too late or withdrawn or because the agency lacked authority over the entity that’s accused. The latter accounts for a growing proportion of complaints, an OCR spokeswoman said.
A 2009 law called on HHS to work with the Federal Trade Commission — which targets unfair business practices and identity theft — and to submit recommendations to Congress within a year on how to deal with entities handling health information that falls outside of HIPAA. Six years later, however, no recommendations have been issued.
The report is in “the final legs of being completed,” said Lucia Savage, chief privacy officer of the HHS Office of the National Coordinator for Health Information Technology.
None of this was useful to the 30-year-old Stokes, a principal consultant at the cybersecurity firm Mandiant. Four months after she filed her complaint with OCR, it suggested she contact the FTC. At that point, she gave up.
“It just kind of seems like a Wild West right now,” she said.
Advances in technology offer patients ways to monitor their own health that were impossible until recently: Internet-connected scales to track their weight; electrodes attached to their iPhones to monitor heart rhythms; virtual file cabinets to store their medical records.
“Consumer-generated health information is proliferating,” FTC Commissioner Julie Brill said at a forum last year. But many users don’t realize that much of it is stored “outside of the HIPAA silo.”
HIPAA seeks to facilitate the flow of electronic health information, while ensuring that privacy and security are protected along the way. It only applies to health providers that transmit information electronically; a 2009 law added business partners that handle health information on behalf of these entities. Violators can face fines and even prison time.
“If you were trying to draft a privacy law from scratch, this is not the way you would do it,” said Adam Greene, a former OCR official who’s now a private-sector lawyer in Washington.
“Consumers should not assume any of their data is private in the mobile app environment—even health data that they consider sensitive,” the group said.
Consider a woman who is wearing a fetal monitor under her clothes that sends alerts to her phone. The device “talks” to her smartphone via wireless Bluetooth technology, and its presence on a network could be detected by others, alerting them to the fact that she’s pregnant or that she may have concerns about her baby’s health.
“That is a fact that you may not want to share with others around you—co-workers or family members or strangers in a café,” said David Kotz, a computer science professor at Dartmouth College who is principal investigator of a federally funded project that is developing secure technology for health and wellness.
“We’ve seen this in the tech market over and over again,” he added. “What sells devices or applications are the features for the most part, and unless there’s a really strong business reason or consumer push or federal regulation, security and privacy are generally a secondary thought.”
In Florida, Stokes is one of those people enamored with emerging health technologies. Several years ago, she rushed to sign up for 23andMe to analyze her genetic profile. And when she was pregnant with her daughter, she purchased a test that said it could predict the sex of the fetus. (It was wrong.)
The paternity test kit that piqued her interest earlier this year advertised “accuracy guaranteed” for “1 alleged father and 1 child.” She remembers the kit costing about $80 at a nearby Walgreens. Such tests sell for about $100 online.
“It was kind of a nerdy thing that I was interested in doing,” Stokes said.
The test was processed in New Mexico by GTLDNA Genetic Testing Laboratories, then a division of General Genetics Corp. Stokes was directed to log into a website and enter a unique code for her results. When they appeared, she noticed an unusual Web address on her screen, and she wondered what would happen if she modified it to remove the ID assigned to her.
She tried that and saw a folder containing the results of thousands of other people. She was able to click through and read them. “You wouldn’t call that hacking,” she said. “You would call that walking through an open door.”
Stokes downloaded those publicly accessible records so that she would have proof of the lax security. “There were no safeguards,” she said. She complained to the HHS Office for Civil Rights in early February. It answered in June, writing that the office “does not have authority to investigate your complaint, and therefore, is closing this matter.”
Bud Thompson, who until last month was the chief executive of General Genetics, initially said he had not heard about Stokes’ discovery. A subsequent email provided an explanation.
“There was a coding error in the software that resulted in the person being able to view results of other customers. The person notified the lab, and the website was immediately taken down to solve this problem,” he wrote. “Since this incident, we have sold this line of business and have effectively ceased all operations of the lab.”
The DNA testing company 23andMe, which helps people learn about their genetic backgrounds and find relatives based on those profiles, had a highly publicized lab mix-up in which as many as 96 customers were given the wrong DNA test results, sometimes for people of a different gender. A spokeswoman for the California-based company said she was unaware of any privacy or security breaches since that 2010 incident.
Kate Black, its privacy officer and corporate counsel, said that 23andMe tries to provide more protection than HIPAA would require.
“No matter what, no law is ever going to be narrow enough or specific enough to appropriately protect each and every business model and consumer health company,” she said.
California lawmakers have twice considered a measure to prohibit anyone from collecting, analyzing or sharing the genetic information of another person without written permission, with some exceptions.
Then-Sen. Alex Padilla, who sponsored the bill, cited a California company that marketed DNA testing, including on samples collected from people without their knowledge. In a recent interview, he said that he was amazed state law did not protect “what’s arguably the most personal of our information and that’s our genetic makeup, our genetic profile.”
The legislation failed. And Padilla, now California’s secretary of state, remains concerned: “I don’t think this issue is going away any time soon.”
While Stokes was troubled by her experience, she was particularly disheartened by the OCR’s response. “It was shocking to me to get that message back from the government saying this isn’t covered by the current legislation and, as a result, we don’t care about it,” she said.
The agency’s deputy director for health information privacy says there is no lack of interest. While it refers certain cases to law enforcement, OCR can barely keep up with those complaints that fall within its jurisdiction.
“I wish we had the bandwidth to do so,” Deven McGraw said. “We would love to be able to be a place where people can get personalized assistance on every complaint that comes in the door, but the resources just don’t allow us to do that.”
For its part, the FTC has taken action against a few companies for failing to secure patients’ information, including a 2013 settlement with Cbr Systems Inc., a blood bank where parents store the umbilical cord blood of newborns in case it is ever needed to treat subsequent diseases in the children or relatives. That settlement requires Cbr to implement comprehensive security and submit to independent audits every other year for 20 years. It also bars the company from misrepresenting its privacy and security practices.
But FTC officials say the number of complaints pursued hardly reflects the scope of the problem. Most consumers are never told when a company sells or otherwise shares their health information without their permission, said Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection.
“It may be done behind the scenes, without consumers’ knowledge,” she noted. “Those are the cases where consumers may not even know to complain.”
Has your medical privacy been compromised? Help ProPublica investigate by filling out a short questionnaire. You can also read other stories in our Policing Patient Privacy series.This story was originally published on ProPublica, a Pulitzer Prize-winning investigative newsroom. Sign up for the newsletter.