Every Patient a Subject

Personalized medicine, the hoped-for use of the information in our genes to inform our medical care, may end up helping people live longer, healthier lives. Or it may not—the jury is still out. But one thing is certain: As our unique genomic data enter our medical records, researchers will be tempted to use that invaluable resource. The results may be good for science but bad for patients’ privacy.

In 2013, reporter Carole Cadwalladr, writing for the Guardian, described her encounter with the paradox of personalized medicine: Unlocking one’s genetic code may feel empowering, but the implications can be frightening. Cadwalladr agreed to let Illumina, a company that makes and uses gene-reading machines, sequence her DNA and use her genome in research in connection with an upcoming conference.

At a conference she attended, Illumina gave all the participants party favors: iPads with copies of their own genomes. Cadwalladr was unnerved to realize that her unique genetic code was now stored by Illumina in the Amazon Cloud and could, like all digital data, be potentially hacked and leaked. But, she reminded herself, she had been told the risks and benefits and had made an informed choice to volunteer.

This choice is denied to many subjects of genomic research—a group that may one day soon include almost all of us. Cadwalladr told us she was “surprised to learn” that current norms for medical research permit a scientist who gets a sample of blood, tissue, or saliva to sequence and use that genome without the donor’s specific consent, or even without her knowledge. The scientist then may share those genomic data with others, including a database maintained by the U.S. National Institutes of Health that’s used by researchers and companies worldwide. This can all happen without any notice to the people whose DNA was sequenced. (In fact, if the study is federally funded, in some cases the scientist must share the information.) These practices are currently acceptable, as long as the genome is viewed as “de-identified”—meaning it isn’t linked to obvious identifiers, such as names, addresses, or phone numbers, and it is not, in itself, considered identifiable.

That sounds reasonable, but “de-identification” is becoming only a reassuring myth. Subjects of genomic research should not confidently expect to remain anonymous. The possibility of “re-identifying” people from either their genomes or the health or demographic data connected with those genomes is real. The probability of re-identification is unclear but certainly growing, as the focus of genomic research shifts from the individual to the population, from small collections of DNA to vast electronic databases of genomic and health information.

Advances in data science and information technology are eroding old assumptions—and undermining researchers’ promises—about the anonymity of DNA specimens and genetic data. Databases of identified DNA sequences are proliferating in law enforcement, government, and commercial direct-to-consumer genetic testing enterprises, especially in genetic genealogy. That growth is increasing the likelihood that anyone with access to such nonanonymous “reference” databases could use them to re-identify the person who provided a “de-identified” gene sequence. People with access could include amateur genetic genealogists but also hackers.

Similarly, information about a person’s health conditions or demographic characteristics can be used for re-identification. How many 6-foot-2-inch-tall 62-year-old white men are there in a given state with white hair, an artificial left hip, type A positive blood, and a prescription for warfarin?

Newer re-identification risks will emerge as scientists learn to profile individuals using information encoded in the genome itself, such as ethnicity and eye color. Authors of a recent study published in PLOS Genetics described a method to use the genome and computerized rendering software to “computationally predict” 3-D models of individual “faces” of particular genomes; in a subsequent paper the authors describe how these techniques will be useful in criminal investigations.

Today medical ethicists, lawyers, and data scientists dispute whether de-identification remains a reliable means of privacy protection. One camp maintains that the risks of re-identification are overstated, creating a climate that impedes research unnecessarily; another group of experts, the “re-identification scientists,” counter by demonstrating repeatedly how they can re-identify supposedly anonymous subjects in genomic research databases.

Yet to date, this conversation has been largely academic. Gene-sequencing technology is only now maturing into clinical use, and the number of people whose genomes have been sequenced for research in the United States is relatively small compared with the total patient population. Though many of these research subjects contributed DNA before the advent of sequencing technology and are likely unaware that their genomes have been sequenced and shared, most did consent to participate in some form of medical research and provided DNA samples for this purpose. In theory, therefore, these subjects, like Carole Cadwalladr, all knew they were assuming new privacy risks by joining a study.

This is about to change, as gene sequencing moves from the research laboratory to the clinic— and we need to consider the consequences carefully. When the day arrives that each patient’s genome is sequenced routinely in the course of our medical care, all our genomic data will become part of, or linked to, our permanent, electronic medical records.

EMRs with gene-sequence information will be a treasure trove for genomic research on a populationwide scale, allowing researches to forgo recruiting DNA donors in favor of obtaining genomic data directly from the EMR. The temptation to do good by doing research on this vast scale will be irresistible; the mushrooming literature on such genome-wide association studies shows that these very large studies may offer researchers enough statistical power to tease apart the complex interplay of genetic contributions to almost any health condition imaginable, from schizophrenia to diabetes.

Commonly accepted practices for records-based research, which don’t require patient consent, could eventually cause many of us to become the subjects of genomic research without our knowledge. As has already happened for many of the nearly 1 million subjects in the NIH genomic database, our genomes might then be distributed to researchers worldwide, and we’d never know. That people who volunteered for specific studies have their genomes distributed across the world without their knowledge is bad enough. That this might happen to people who have sought medical care but have not volunteered for research would be worse.

Patients today generally don’t know when their medical records have been disclosed for research, or to whom—making it difficult to object. In the not-so-distant future, when medical records include our unique genomes, this status quo will be ethically unacceptable. To date, regulators have interpreted federal health privacy law to permit providers to treat whole genome sequence data as “de-identified” information subject to no ethical oversight or security precautions, even when genomes are combined with health histories and demographic data. Either this interpretation or the law should be changed.

The same EMRs that will make this research possible could also be used to record patients’ choices whether to participate in research, but that is not generally happening. If the research community truly believes that science must conscript patient genomes for public benefit, it should make that case openly, explaining how notice and consent will impose undue burdens on crucial research. Otherwise, do the right thing: Ask patients first.

Jennifer Kulynych and Hank Greely,  Slate

Geneticists Begin Tests of an Internet for DNA

A coalition of geneticists and computer programmers calling itself the Global Alliance for Genomics and Health is developing protocols for exchanging DNA information across the Internet. The researchers hope their work could be as important to medical science as HTTP, the protocol created by Tim Berners-Lee in 1989, was to the Web.

One of the group’s first demonstration projects is a simple search engine that combs through the DNA letters of thousands of human genomes stored at nine locations, including Google’s server farms and the University of Leicester, in the U.K. According to the group, which includes key players in the Human Genome Project, the search engine is the start of a kind of Internet of DNA that may eventually link millions of genomes together.

The technologies being developed are application program interfaces, or APIs, that let different gene databases communicate. Pooling information could speed discoveries about what genes do and help doctors diagnose rare birth defects by matching children with suspected gene mutations to others who are known to have them.

The alliance was conceived two years ago at a meeting in New York of 50 scientists who were concerned that genome data was trapped in private databases, tied down by legal consent agreements with patients, limited by privacy rules, or jealously controlled by scientists to further their own scientific work. It styles itself after the World Wide Web Consortium, or W3C, a body that oversees standards for the Web.

“It’s creating the Internet language to exchange genetic information,” says David Haussler, scientific director of the genome institute at the University of California, Santa Cruz, who is one of the group’s leaders.

The group began releasing software this year. Its hope—as yet largely unrealized—is that any scientist will be able to ask questions about genome data possessed by other laboratories, without running afoul of technical barriers or privacy rules.

The researchers felt they had to act because the falling cost of decoding a genome—then about $10,000, and now already closer to $2,000—was producing a flood of data they were not prepared for. They feared ending up like U.S. hospitals, with electronic systems that are mostly balkanized and unable to communicate.

The way genomic data is siloed is becoming a problem because geneticists need access to ever larger populations. They use DNA information from as many as 100,000 volunteers to search for genes related to schizophrenia, diabetes, and other common disease. Yet even these quantities of data are no longer seen as large enough to drive discovery. “You are going to need millions of genomes,” says David Altshuler, deputy director of the Broad Institute in Cambridge and chairman of the new organization. And no single database is that big.

The Global Alliance thinks the answer is a network that would open the various databases to limited digital searches by other scientists. Using that concept, says Heidi Rehm, a Harvard Medical School geneticist, the alliance is already working on linking together some of the world’s largest databases of information about the breast cancer genes BRCA 1 and BRCA 2, as well as nine currently isolated databases containing data about genes that cause rare childhood diseases.

In March, the group launched a test of whether scientific organizations would be willing to share data. A product called Beacon lets the owner of a database open it up for strictly limited searches.

“We are not trying to invent a technical feat; it’s breaking down this problem of people not sharing data,” says Marc Fiume, a computer science graduate student at the University of Toronto who built part of the interface. “This lets you probe, but without identifying anyone or violating patient privacy.”

So far, 15 databases are compatible with Beacon, which Fiume rates a reasonable success. Three are stores of public genomes that Google maintains a copy of, and one is at a software company called Curoverse in Boston.

Haussler says a future protocol would offer access to progressively more data, but in a controlled way. Scientists would have to register, or even sign legal agreements. “If it’s ‘Give me the whole genome,’ you’d enter a contract for that,” he says.

One change the alliance is pushing is a new type of master consent form, the document that lays out volunteers’ rights when they hand over their genomes. The new consent is broader than most, giving permission for “controlled access” by “researchers around the world.” It promises that no researcher will identify a participant, although since DNA is a unique, like a fingerprint, there would be no guarantees.

Like the W3C, the Global Alliance has “host institutions” that pay its bills. So far, they are the Broad Institute, the Wellcome Trust Sanger Institute in the U.K., and the Ontario Institute for Cancer Research, according to Altshuler, who declined to say how much money each had contributed.

John Wilbanks, founder of the nonprofit Sage Bionetworks, is working with the alliance and is also a former member of the W3C. He says the alliance has a harder task than the W3C did. “The Web existed long before the Web Consortium did. That is the big difference,” he says. “The Web got traction, and the consortium was created to manage it. They didn’t have to create the Web.”

Antonio Regalado, MIT Technology Review

Google Wants Your DNA: Are You Willing to be a Project in the Cloud?

For the past 18 months, Google has quietly been approaching hospitals and universities to acquire genome data in an effort to roll out a cloud computing service for DNA, according to Technology Review.

Google Genomics is the search giant’s first product for the DNA age, providing an API to store, process, explore and share DNA sequence reads, reference-based alignments, and variant calls, using Google’s cloud infrastructure.

For $25 a year, Google will host a copy of genome sequences in the cloud.

While genetic databases already exist online, Google Genomics is the latest and most ambitious iteration. Genealogy databases for finding ancestors and public genetic databases run by national research centers, while impressive and useful, have nothing on the DNA storage service.

Connecting and comparing genomes by the thousands, and soon by the millions, will propel medical discoveries for the next decade. Between Google, IBM, Microsoft and Amazon – the question of who will store the data is already a point of growing competition.

“We saw biologists moving from studying one genome at a time to studying millions,” David Glazer, the software engineer who led the effort, told Technology Review. “The opportunity is how to apply breakthroughs in data technology to help with this transition.”

Why Google Genomics is Important

The collection of data is vastly increasing in labs all over the world as faster equipment for decoding DNA is becoming more accessible. The Broad Institute in Cambridge, Massachusetts, reported that during the month of October it decoded the equivalent of one human genome every 32 minutes – roughly 200 terabytes of raw data.

This flow of data exceeds what biologists have previously handled (to put this in perspective, in over two months, Broad Institute will produce the equivalent of the amount of material that gets uploaded to YouTube in one day) prompting the effort to store and access data at a central point.

The National Cancer Institute said in October that it would pay $19 million to move copies of the 2.6 petabyte Cancer Genome Atlas into the cloud. Copies of the data will reside at both Google Genomics and in Amazon’s data centers.

The Future of Medical Discoveries

Without the comparison of genome sequences, it is tough for researchers to determine what a mutation is and what is not within DNA. With a database that houses thousands of genomes, the chances of pinpointing inconsistencies become much higher.

A database such as Google Genomics can serve as a search catalogue for doctors to determine the best treatment options for a patient.

“Our bird’s eye view is that if I were to get lung cancer in the future, doctors are going to sequence my genome and my tumor’s genome, and then query them against a database of 50 million other genomes,” said Deniz Kural, CEO of Seven Bridges, which stores genome data on behalf of 1,600 researchers in Amazon’s cloud. “The result will be ‘Hey, here’s the drug that will work best for you.’”

Solving the Privacy Issues

With big data comes big privacy issues. Genome databases have to carefully calibrate how much information they provide alongside DNA sequences. While more information such as age, sex, location, diet habits, etc. are more useful to researchers, the easier it is to identify who the genome belongs to.

A study in Science last year was able to identify several men from the publicly available 1000 Genomes Project based on their Y chromosomes and age, location and family tree data. While Google Genomics’ data is geared towards researchers rather than the general public, the wide accessibility of this information leaves the privacy matter open.

Additionally, what if researchers who are studying a patient’s genomes for cancer come across information that reveals a newly discovered rare disease or that said patient has an unknown sibling. Do they tell the patient?

While these privacy worries aren’t unique to Google Genomics, the sheer magnitude of the project magnifies the potential problems. According to Gizmodo, researchers have advocated for central genomic data centers to standardize privacy policies. Once these privacy concerns are reckoned with, Google Genomics has the capability to succeed where others haven’t.

According to Technology Review, at least 3,500 genomes from public projects are already stored on Google’s servers.

Stehphanie Ocano, Healthcare Global

Taking your Genome to the Bank

What’s more valuable than your money, equally vulnerable, and unique to you? Answer: Your genome. And just like your money, your genome should be stored securely as possible and those institutions that store your genome should be regulated on how they store it, use it, and potentially share it.

As medical science advances, it’s going to be increasingly important for people to be able to control and manage access to their personal genomes. To make this possible, we need to establish a formal, well-regulated system of genome banking. Just as the government regulates the banks that hold our money, we must also have it or an equivalent group/system to govern how institutions manage our genomic data. Because it is only by guaranteeing the security and use of that information that we will be able to exploit the full potential of the growing pool of genomic data for the betterment of the individual and for mankind.

Everyone’s genomic data, after all, is potentially life saving and life changing. We’ve long known that each of us has a unique string of three billion or so tiny molecules linked together in our own genetic code. That code governs much of our health and well being. It dictates the color of our eyes, how tall we can grow, our relative risk of developing cancer, and much more. Your genome also has big implications for your children and other members of your family. If a family member develops an inheritable disease such as breast cancer or Huntington’s, the information in your genome could be crucial to determine if other family members are also at risk. Think of this as the estate you pass on to your heirs.

Craig Venter was recently quoted in a Businessweek article saying ? “It’s going to be important to know what the variant is you got from your mother and from your father, and whether that correlates with 30 other variants across the genome that are associated with susceptibility for a certain type of cancer, for example.”

Genomic data is also becoming increasingly important in medical research. Studies of Alzheimer’s suggest that one reason so many clinical trials have failed so far is because the studies need to be done in people with earlier stage disease, which is currently very challenging to detect. In the future, it’s likely that people whose relatives have the disease will be able to get a simple blood test that will help estimate their own risk. Additional studies will then be used to select optimal candidates for early stages trial of new Alzheimer’s drugs.

But there’s also a dark side to genome sequencing. Hackers can sneak into databases and determine the owner of an “anonymous” genome using DNA identifiers. They can also uncover previously unrecognized sensitive information about someone’s genome, or unmask areas that researchers have attempted to keep from public view.

In probably the most famous example of this, James Watson (the co-discoverer of the DNA double helix) made almost his entire genome public in 2007. One gene—APOE, which helps predict risk of Alzheimer’s disease—had been masked before Watson’s genome was published. However, several geneticists said they could tell whether or not he carried the gene, based on other mutations that are commonly inherited with APOE. No one publicized his APOE status, but it became clear that publishing your genome could entail risk to your privacy.

Then in January 2013, a researcher at Massachusetts’ world-renowned Whitehead Institute tracked down five people who he selected at random from a DNA database. Using just their DNA, ages, and the states where they lived, in a matter of hours he identified the five as well as some of their relatives.

Such stories are unnerving to many, who worry that insurance companies or employers will use genetic information to discriminate against them. Even though it’s technically against the law, this is a widespread fear.

Some experts claim it’s time to simply accept that we are in a genomic era, and that will entail some risk to privacy. They are encouraging people to donate their DNA to large public databases so that we can more rapidly advance genomic testing and diagnosis. But for those who are not comfortable sharing their data (whether public or private unregulated entities) there should be an alternative that doesn’t involve simply trusting that our data will be safe. We should be able to have a guarantee that our genomes will be safe and managed according to standards. As we have done in the past—you can store you money in your mattress or you can choose to store it in a bank that is regulated and must abide by guidelines.

The system I am suggesting is one that would set up firm rules for how genomic data is stored, used, and transferred/loaned between institutions, just as we have rules for transferring money. Once those system and rules are in place and have been widely communicated, more people will trust the system. With greater confidence in the system, more people will start to participate and we can finally enter a truly genomic era that can profoundly affect the future of humanity. My challenge to lawmakers and policy makers is to not look at this area as something that is managed by researchers but something of significant value to society that affects every human being on earth. And if that is believed to be true—then this valuable asset should be rightfully standardized, regulated and managed to create a system that benefits all individuals both here and abroad.

Harry Glorikian , GEN

Genetic Discrimination Means the Choice Between Life and Life Insurance in Canada

Protecting members of our society from discrimination based on the colour of their skin, ethnicity, or ancestry is a fundamental Canadian value. Unfortunately, Canadians across the country currently face real as well as potential future discrimination based on their DNA. Genetic discrimination is a reality in Canada, with out-dated laws enabling insurance companies and employers to target individuals and families based on the results of genetic testing.

To date, science has outpaced legislation in Canada, despite broad, multi-partisan consensus supporting action to stop genetic discrimination. Prime Minister Stephen Harper pledged to “prevent employers and insurance companies from discriminating against Canadians on the basis of genetic testing” in the last Speech from the Throne; an NDP Private Member’s Bill has been introduced in the House of Commons to amend the Canadian Human Rights Act to prohibit genetic discrimination; and theCanadian Coalition for Genetic Fairness testified this week at the Senate human rights committee regarding Liberal Senator James Cowan’s Bill S-201: An Act to Prohibit and Prevent Genetic Discrimination.

In the early 1990s when the Global Genome Project began, Canada joined other countries in a dialogue about its possible outcomes and the potential need for safeguarding genetic information. At the time, Canada opted to take a “wait and see” approach. Nearly 25 years have passed, and ours is now the only G7 nation that does not protect genetic information.

At the same time, Canada continues to invest billions in promising genome research, the benefits of which will be diminished and degraded due to the fear and reality of genetic discrimination. In his testimony before the Senate human right committee, Dr. Ronald Cohn, Co-Director of the Centre for Genetic Medicine and Senior Scientist at the Hospital for Sick Children, noted that 3 per cent of families refused to participate in a study that could have life changing diagnostic implications for their seriously ill children, citing genetic discrimination. With research increasingly making it possible for prevention, early detection, and treatment of many diseases, genetic discrimination by insurers and employers is a barrier to the future wellbeing of every Canadian.

Genetic testing can provide diagnostic precision and more effective treatment of illness, saving lives and ultimately reducing healthcare costs. Tragically, patients all too often face a dreadful dilemma: undergo testing that could prolong and improve the quality of their lives but would make them vulnerable to discrimination, or refrain from testing and take their chances.

The case of two brothers in their twenties at risk for Long QT, a genetic mutation leading to a sudden, fatal heart attack, is illustrative. One was tested, has the mutation, will be treated, and will accordingly not die of a massive heart attack. He will also not qualify for life insurance. The other brother was in the middle of a job search and refused to get a genetic test for fear of employers finding out. He will be able to access life insurance.

Who wins in this scenario when the untested, insured brother dies at 40 years of age leaving behind a wife and young children? Does it really make sense that an employer can’t inquire about a person’s marital status, but can have access to private genetic information?

Genetic discrimination is not just an issue affecting groups of people susceptible to certain diseases. Various ethnic communities are, in some respects, just as vulnerable. For example, Jewish Canadians disproportionately carry genetic markers suggesting increased predisposition to certain types of cancer. Testing for this information, free from threat of discrimination, is vital for improving health outcomes and saving lives.

Genetic information is sensitive, complicated, and requires a high degree of protection. Failing to safeguard genetic test information and allowing insurers and employers to use an individual’s most personal genetic data against them will have lasting consequences for the health and wellbeing of all Canadians. It is time for the law to catch up with science and ensure an end to genetic discrimination in Canada.

Follow the Canadian Coalition for Genetic Fairness on Twitter.

Shimon Koffler Fogel , Huffington Post
Co-authored with Bev Heim-Myers, Chair, the Canadian Coalition for Genetic Fairness and CEO, Huntington Society of Canada

U.S. House unanimously approves newborn screening bill with CRG backed privacy and consent provisions

National newborn screening legislation is headed to President Barack Obama’s desk for signature after unanimously passing the U.S. House of Representatives on Wednesday.

The legislation includes new timeliness and tracking measures aimed at eliminating delays in newborn screening so babies with deadly yet treatable genetic disorders are diagnosed quickly. The changes were made in response to a Milwaukee Journal Sentinel investigation last year that found thousands of hospitals were late sending babies’ blood samples to state labs.

Patrick O’Connor, whose son has been seriously and permanently affected by delayed newborn screening, said the legislation and changes to it are “incredibly important” and long overdue.

“People who are unfamiliar with newborn screening can now have some level of confidence that there’s a system of checks and balances in place,” he said.

The Newborn Screening Saves Lives Reauthorization Act, which advocates worried wouldn’t pass before the end of the year, reauthorizes a 2008 measure that funds $19.9 million for programs supporting the country’s state-run newborn screening systems. The bill has been pending in Congress since January but stalled when Republican senators said they had privacy concerns about genetic research funded by the legislation.

On Monday, the U.S. Senate passed the bill after requiring parental consent before federally funded genetic research can be done on a blood sample. The bill returned to the House for similar changes and now goes to Obama, who is expected to sign it in the next 10 days.

Nearly every baby in the country is tested for genetic disorders shortly after birth. Blood is collected on a card that is sent to state public health labs for testing. The Journal Sentinel found that infants have died andsuffered permanent disabilities because of screening delays by hospitals and state labs.

Patrick and Katrina O’Connor’s son, Peter, was born in Connecticut in 2007. His blood sample never made it to the state health lab, and so for 99 days, doctors didn’t know why he was so sick. Peter has a genetic disorder that is easily treated if caught early. Connecticut required hospitals to develop a system to track results, but the hospital where Peter was born didn’t do so. Left untreated, Peter suffered neurological damage in his first three months of life and, at 7 years old, is significantly behind his peers.

In its investigation, the Journal Sentinel also found that federal regulators and health officials have discussed the need to standardize newborn screening nationwide, but little action has been taken in the past 15 years. In response to those findings, other amendments to the legislation include:

■ Directing the U.S. Centers for Disease Control and Prevention to evaluate lab quality and surveillance activities so state labs can collect and share standardized data

■ Requiring the Government Accountability Office to prepare a report within two years that examines the timeliness of newborn screening in the U.S., while also summarizing guidelines and recommendations.

■ Directing a committee of experts for the U.S. Health And Human Services secretary to give recommendations on improving timeliness for newborn screening.

The legislation does not require public reporting of hospitals’ and states’ performance, leaving that up to each state.

In the past year, dozens of states, including Wisconsin, have made significant changes to address delays, such as identifying problem hospitals and providing them with regular performance reports, adding courier services from hospitals and keeping labs open on weekends. Several have decided to publicly post hospitals’ performance online.

Ellen Gabler, Journal Sentinerl

Privacy and consent provisions added to Senate passed newborn screening bill

The U.S. Senate has passed H.R. 1281, the Newborn Screening Saves Lives Reauthorization Act, after adopting significant privacy and consent protections championed by the Council for Responsible Genetics.

Every US state conducts a newborn screening test on every baby born within its borders. State law generally requires that a nurse takes a few drops of blood from the heel of each newborn, and submits it to a state laboratory. There, researchers test blood to look for 50 or so medical conditions that could be dangerous–generally metabolic, genetic or endocrine conditions. Newborn screening has proven a very effective and successful health program.

Unfortunately, once the initial testing is completed, the samples are not destroyed. Rather than discarding the screening tests, many state departments of health store the bloodspots for a period of time, even indefinitely, using them for quality control and sometimes research. Usually parents have no idea this is occurring.

The Newborn Screening Saves Lives Reauthorization Act, which provides grants to state entities administering newborn screening programs, is intended to unify and nationalize the data collection resulting from state screening programs by standardizing data collection and reporting. Unfortunately it did not address the serious privacy and consent issues with the long term storage and use of such data.

CRG has been working closely with the US Senate to include appropriate privacy and consent protections into this important legislation. Our report, Newborn Screening in America, and other materials from the CRG sponsored Genetic Privacy Network have been widely distributed on Capitol Hill and have become crucial resources on this issue.

We are pleased to announce that late last night, the Senate passed the bill after adding language designating any federally-funded research involving newborn bloodspots collected after March 2015 to be considered human subjects research for the purposes of the Common Rule. This means that such research will require informed consent from parents before these bloodspots can be used for research; it does not, however, apply to the screening of individual newborns for the required disorders. This provision does not require such consent to be obtained before the initial bloodspot is collected and tested. The bill now returns to the House of Representatives which is expected to quickly affirm changes made by the Senate.

“Passage of the Newborn Screening Saves Lives Reauthorization Act with the addition of consent and privacy protections is a victory for both genetic information privacy and child health,” stated CRG President Jeremy Gruber. “The National Institutes of Health is currently working on updating the Common Rule for human subject research. We fully expect that Congress’ interest in establishing privacy and consent protections for newborn screening has now been communicated to the NIH, and will be carefully included as part of the Common Rule as a final draft develops.”

Privacy protections for genetic information are possible! CRG would like to thank the many members of the US Senate that made this victory possible.

Mandatory DNA collection during arrest is unconstitutional, court says

A state appeals court decided unanimously Wednesday that California’s practice of taking DNA from people arrested for felonies — though not necessarily convicted or even charged — violates the state constitution.

The decision, handed down by an appeals panel here, is likely to be appealed to the California Supreme Court.

A three-judge panel of the First District Court of Appeal struck down a portion of a 2004 law passed by voters permitting the state to take and store DNA profiles from people arrested for felonies.

The U.S. Supreme Court has upheld a more limited Maryland law under the federal Constitution.

But Wednesday’s decision was based on the California Constitution, which specifically gives residents privacy rights.

“The California DNA Act intrudes too quickly and too deeply into the privacy interests of arrestees,” Presiding Justice J. Anthony Kline wrote for the panel.

“The fact that DNA is collected and analyzed immediately after arrest means that some of the arrestees subjected to collection will never be charged, much less convicted, of any crime,” Kline wrote.

In 2012, 62% of people arrested on suspicion of felonies in California were ultimately not convicted, and almost 20% were never even charged, the court said.

Unlike Maryland, California does not require DNA profiles to be automatically expunged if a person is not convicted.

California stores the DNA profiles in a database. People who are not convicted or charged must apply to have their genetic profiles removed, and “the expungement process is neither quick nor guaranteed,” Kline said.

Arrestees must submit a request to the trial court and the county prosecutor as well as to the state Department of Justice’s DNA laboratory to have their DNA profiles removed from the database, and courts may deny the requests.

“California places the burden on the arrestee to pursue an onerous judicial process which seemingly vests the prosecutor with power to prevent expungement merely by objecting to the request,” Kline wrote.

A similar challenge to California’s law being heard in federal court was put on hold Wednesday as a result of the state court ruling.

A spokesman for state Atty. Gen. Kamala D. Harris, whose office has defended the DNA law, said lawyers were reviewing the ruling.

Harumi Mass, a senior staff attorney at the ACLU of Northern California, which filed a friend of the court brief in the state case, praised the court’s decision for recognizing that “DNA is fundamentally differently from a fingerprint.”

“People who have never been charged with a crime should not have their DNA put in a government database,” Mass said.

Maura Dolan, LA Times

CRG Presses US Senate for Privacy and Consent Protections in Newborn Screening

H.R. 1281 is the Newborn Screening Saves Lives Reauthorization Act of 2014. It seeks to reauthorize and amend a number of state grant programs and federal requirements for newborn screening. The bill passed the US House by a voice vote on June 24, 2014.

Every US state conducts  a newborn screening test on every baby born within its borders. State law generally requires that a nurse takes a few drops of blood from the heel of each newborn, and submits it to a state laboratory. There, researchers test blood to look for 50 or so medical conditions that could be dangerous–generally metabolic,  genetic or endocrine conditions. Newborn screening has proven a very effective and successful health program.

Unfortunately, once the initial testing is completed, the samples are not destroyed. Rather than discarding the screening tests, many state departments of health store the bloodspots for a period of time, even indefinitely, using them for quality control and sometimes research. Usually parents have no idea this is occurring.

In 2007, President Bush signed the Newborn Screening Saves Lives Act, which provides grants to state entities administering newborn screening programs. The intent of the law is to unify and nationalize the data collection resulting from state screening programs by standardizing data collection and reporting.

Notably, this law does not specify the protocol for sharing newborn screening data between research projects, and does not address issues that might arise if the newborn’s information is linked or linkable to the newborn screening sample. It furthermore does nothing to address parental consent with regard to data storage and sharing.

Newborn screening is one of the few types of genetic testing to which every American is exposed, yet few Americans are aware of the serious privacy and lack of consent issues with the storage and use of samples. CRG is working hard with Members of the US Senate to amend the legislation so that the important benefits of newborn screening are supported while upholding principles of privacy and parental consent.

A copy of the letter to the Senate is below.

http://www.councilforresponsiblegenetics.org/pageDocuments/64T5JQTBQO.pdf

Pharma and Biotech Firms Hacked

For more than a year, a group of cybercriminals has been pilfering email correspondence from more than 100 organizations — most of them publicly traded health care or pharmaceutical companies — apparently in pursuit of information significant enough to affect global financial markets.

The group’s activities, detailed in a report released Monday morning by FireEye, a Silicon Valley security company, shed light on a new breed of criminals intent on using their hacking skills to gain a market edge in the pharmaceutical industry, where news of clinical trials, regulatory decisions or safety or legal issues can significantly affect a company’s stock price.

Starting in mid-2013, FireEye began responding to the group’s intrusions at publicly traded companies — two-thirds of them, it said, in the health care and pharmaceutical sector — as well as advisory firms, such as investment banking offices or companies that provide legal or compliance services.

The attackers, whom FireEye named “Fin4” because they are one of several groups that hack for financial gain, appear to be native English speakers, based in North America or Western Europe, who are well versed in the Wall Street vernacular. Their email lures are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ.

Different groups of victims — frequently including top-level executives; legal counsel; regulatory, risk and compliance officers; researchers; and scientists — are sent different emails.

Some senior executives have been duped into clicking on links sent from the accounts of longtime clients, in which the supposed client reveals that they found an employee’s negative rants about the executive in an investment forum. In another case, hackers posed as an adviser to one of two companies in a potential acquisition.

In several cases, attackers have used confidential company documents, which they had previously stolen, as aids in their deception. In others, the attackers simply embedded generic investment reports in their emails.

In each case, the links or attachments redirected their victim to a fake email login page, designed to steal the victim’s credentials, so that the attacker could log into their email and read the contents.

The Fin4 attackers maintain a light footprint. Unlike other well-documented attacks originating in China or Russia, the attackers do not use malware to crawl further and further into an organization’s computer servers and infrastructure.

They simply read a person’s emails and set rules for the infiltrated inboxes to automatically delete any email that contains words such as “hacked,” “phished” or “malware,” to increase the time before their victims learn their accounts have been compromised.

“Given the types of people they are targeting, they don’t need to go into the environment; the senior roles they target have enough juicy information in their inbox,” said Jen Weedon, a FireEye threat intelligence manager. “They are after information protected by attorney-client privilege, safety reports, internal documents about investigations and audits.”

Because the attackers do not deploy malware and communicate in native English, they can be tricky to track.

Ms. Weedon said FireEye first began responding to Fin4 attacks in mid-2013 but did not put together its findings until five months ago, when a few of its analysts concluded the attacks did not appear to be the work of familiar attackers in Russia or China, and warranted further investigation.

FireEye would not name the victims, citing nondisclosure agreements with its clients, but said that all but three of the affected organizations were publicly listed on the New York Stock Exchange or Nasdaq, while the others were listed on exchanges outside the United States.

Half of these companies fall into the biotechnology sector; 13 percent sell medical devices; 12 percent sell medical instruments and equipment; 10 percent manufacture drugs; and a small minority of targets include medical diagnostics and research organizations, health care providers and organizations that offer health care planning services.

FireEye said it had notified the victims, as well as the Federal Bureau of Investigation, but did not know whether other organizations like the Securities and Exchange Commission were investigating.

Representatives of the F.B.I. and S.E.C. declined to comment on the case.

FireEye has aggressively marketed its security research and breach detection products since it went public last year.

Its Fin4 research was published the day after David G. Dewalt, FireEye’s chief executive, appeared in a “60 Minutes” report, lamenting the fact that companies do not detect their breaches sooner.

The company’s stock price — which surged to $100 a share last March — has since dropped to $30 a share in part because of a report that indicated one of FireEye’s intrusion detection products did not perform as well as others in a lab test.

On Monday, the same day FireEye released its Fin4 report, lawyers filed a class-action suit in the United States District Court for the Northern District of California on behalf of FireEye shareholders.

Ms. Weedon said that FireEye had not had time to assess the effects of the breaches to see whether the attackers had benefited financially.

It is also difficult to track the attackers because in each case, they logged into their victim’s email accounts using Tor, the anonymity software that routes web traffic through Internet Protocol addresses around the globe. Last month, the F.B.I. seized dozens of criminal websites operating on the Tor network, in the largest operation of its kind.

“We don’t have specific attribution but we feel strongly this is the work of Americans or Western Europeans who have worked in the investment banking industry here in the United States,” Ms. Weedon said. “But it’s hard because we don’t have pictures of guys at their keyboards, just that they are native English speakers who can inject themselves seamlessly into email threads.”

Ms. Weedon added, “If it’s not an American, it is someone who has been involved in the investment banking community and knows its colloquialisms really well.”

Nicole Perlroth, NY Times