In the aftermath of the first large-scale human genetic data breach, 23andMe seeks to settle a class action lawsuit with a payment of $30 million for the 6.4 million users affected.
Is the agreement fair? Does the Federal Court need to consider the broader implications of this case for future societies?
Techopedia spoke to legal, healthcare, and tech experts to answer these and other questions.
Key Takeaways
- 23andMe has agreed to pay $30 million to compensate victims of a data breach that affected 6.4 million users.
- The offer has been filed in Federal Court but needs approval from the court.
- The settlement’s fairness is debated. Some argue it doesn’t reflect the seriousness of a genetic data breach, while others see it as a starting point for the evolving legal landscape.
- Current regulations lack specific guidelines for penalties and fines related to genetic data breaches. Users often unknowingly grant broad data access through service agreements.
- The case sets a precedent for future genetic data breaches. Experts worry a low settlement discourages strong security practices and hinders public trust in sharing genetic data.
‘Court Must Decide if Agreement is Fair’
On September 12, a preliminary settlement for an agreement of the class action against 23andMe was filed in federal court in San Francisco. The settlement — which still requires the Court’s approval — stipulates that the company will issue cash payments for victims of the data breach, along with a three-year security monitoring service.
In a memo, company lawyers said that “23andMe believes the settlement is fair, adequate, and reasonable.” But is it?
The 23andMe breach is considered unique for being the first human genetic data large scale security incident. An agreement in this case will therefore set precedents for a field expected to grow significantly in the coming years: biohealthcare and genetic data.
The 23andMe breach affected nearly half of the 14.1 million customers that the company had at the time. Back then the company blamed users for having poor password security standards, a move that disappointed those who hoped the company would take full accountability and ownership of their security.
Fast forward to 2024 and the new 23andMe agreement does little to not disappoint again, downplaying the gravity of the incident.
Christopher E. Roberts, Class Action Attorney at Butsch Roberts & Associates LLC, told Techopedia that it is now the court’s responsibility to decide if the agreement is fair.
“The court is the ultimate arbiter as to whether a class action settlement agreement, like this agreement, is fair.
“As such, the court is the gatekeeper to making sure class members are treated fairly. The court must decide not once, but twice, whether the agreement is fair.”
Roberts added that it is possible that the court may not grant preliminary approval and can ask the parties to go back to the settlement drawing board. Additionally, if the court approves the agreement, class members can still object or opt-out.
“The purpose of class action lawsuits is to compensate class members for wrongs, but also to send an important message that the misconduct is serious.
“Large settlements like this one can help companies develop better practices going forward and can also incentivize similar businesses to make sure their practices are proper now and going forward.”
Legal Gaps Driven By Genetic Data Industry Innovation
Danielle Kelvas, MD, Physician Advisor for IT Medical, a software and digital product healthcare solutions company, spoke to Techopedia about the regulation gaps driven by rapidly advancing technologies.
“People would assume that genetic data falls under HIPAA, and it does, but there aren’t clear guidelines on the amount of fines to charge here.”
MD Kelvas explained that the Genetic Information Nondiscrimination Act of 2008 (GINA) primarily addresses the issue of discrimination based on genetic information in health coverage and employment rather than specifying fines for breaches of genetic health data.
“The crux of the argument here is that the general public feels disgusted that it is perfectly legal to sell de-identified genetic information for hundreds of millions of dollars.”
Before the passage of the 2013 HIPAA Omnibus Rule, genetic information was not specifically included in the HIPAA regulations’ definition of protected health information (PHI).
Kelvas explained that when users agree to ‘the terms’ — even if they fail to read the fine print — they are giving 23andMe permission to use their data.
“This goes for any medical app or company, really.”
23andMe’s claims it does not sell, lease, or rent genetic data without explicit consent from the customer. However, the company has licensed genetic data to drug companies in the past, including GSK, in exchange for millions.
Evidently, the foundations of the genetic data industry are far from ‘fulfilling the curiosity demands of people who want to know more about their heritage’. The industry’s main motors are healthcare, science, researchers, and most pharma companies (a $1.6 trillion industry).
A Dangerous Precedent for the Future of the Surging Genetic Data Industry
Michel Young, co-founder of Lindus Health, a company modernizing clinical trial management, also spoke to Techopedia about the case.
“Low-value settlements like this are common, but this sets a dangerous precedent for a breach of genetic data. The breach undoubtedly hurt public confidence in sharing data of this type with any provider, including 23andMe.”
Young warned that the case has much wider ramifications for society as a whole. “Sharing and analysis of genetic data is going to be key to the next wave of healthcare innovation,” Young said.
Young believes that a stronger settlement would have considered this broader impact and incentivized stronger security practices across the industry.
Erich Kron, Security Awareness Advocate at KnowBe4 was not surprised by the developments of the case.
“It is not uncommon for settlements such as this to fall grossly short when it comes to compensating victims in situations like these,” Kron told Techopedia.
“We are not talking about a list of email addresses that has been lost, but the genetic information of millions of people.”
Kron explained that the world has no idea how this type of information may be used in 10 or 20 years.
“The fact that the information will never change, nor can it be changed for the lifetime of the victims, makes a $5 settlement, even with several years of credit monitoring, grossly inadequate,” Kron said.
The Bottom Line
As the 23andMe case moves on, requiring the approval of the court, it is clear that lawyers have decided to focus on the breach as a ‘normal cybersecurity incident’ — if such a thing exists.
By taking this approach, 23andMe denies responsibilities and wrongdoings that are intrinsically linked to a wider industry that has a broader impact on the population. Whether the Federal Court will approve the agreement as-is or send a stronger message is yet to be revealed.
References
- Exhibit A (Storage.courtlistener)
- 3andMe’s Memo in Support of Preliminary Approval (Storage.courtlistener)
- Addressing Data Security Concerns – Action Plan – 23andMe Blog (Blog.23andme)
- Christopher E. Roberts – Partner – Butsch Roberts & Associates LLC | LinkedIn (Linkedin)
- Butsch Roberts & Associates LLC | St. Louis Civil Litigation Attorneys (Butschroberts)
- Danielle Kelvas, MD – DKMD Consulting | LinkedIn (Linkedin)
- Healthcare Software Development & IT Services | IT Medical (Itmedical)
- The Genetic Information Nondiscrimination Act of 2008: “GINA” | U.S. Department of Labor (Dol)
- Will the Information I Provide Be Shared With Third Parties? – 23andMe Customer Care (Customercare.23andme)
- 23andMe Announces Collaboration Extension with a New Data Licensing Agreement with GSK | 23andMe, Inc. (Investors.23andme)
- Pharmaceutical market worldwide revenue 2001-2023 | Statista (Statista)
- Michael Young – Lindus Health | LinkedIn (Linkedin)
- Lindus Health | The Anti-CRO for Life Science Pioneers (Lindushealth)
- Erich Kron – KnowBe4 | LinkedIn (Linkedin)
- Security Awareness Training | KnowBe4 (Knowbe4)