Protecting personal data is no easy task. With the rise of technology, data collection has become increasingly commonplace with companies collecting data from users for various reasons, such as targeted advertising and analytics. While data collection carries many benefits, it also carries many risks. If data is not properly managed or protected, it has the possibility of falling into the wrong hands or be used against the owner.

Data Protection Week is celebrated to bring awareness to the importance of protecting personal data. By understanding the significance of data protection, medical companies can work with existing privacy policies, as well as take personal measures, to ensure data does not leak to inappropriate parties.



Like any other industry, the use of technology within the medical field is growing exponentially. This surge in adoption increases the possibility of data leaks containing personal information, including genomic data.

Genomic data is some of the most intimate information about a person’s past, present, and future, and is invaluable in the medical field. It is an important asset for individuals as well as organizations, holding the key to more precise healthcare insights, greater accuracy in genetic research, and improved treatments for diseases in whole exome sequencing. As with any personal information, there is a significant risk associated with the collection, storage, and sharing of genomic data, such as misuse, data breaches, and data sharing.

Misuse of genomic data can include invasions of privacy and discrimination in areas of insurance or employment, such as an insurance company taking an individual’s genomic data to deny medical coverage or charge higher rates. Additionally, the use of technology in the medical space invites the possibility of data breaches and data sharing, such as hackings that expose personal and sensitive information to the public. These risks are why it is imperative that protective measures be taken.



Within the medical field, there are already protective measures taken to solidify the safety on someone’s personal data: HIPAA, GDPR, ISO-27001, and CMMC – to name a few.


The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that offers protection to individuals regarding their protected health information (PHI). HIPAA requires healthcare providers, as well as other medical-related entities, to abide by certain standards when handling PHI, setting the rules and regulations that must be followed to protect confidential health information.

There are many components to protecting genomic data under HIPAA, the Privacy Rule being the most important. This rule states that individuals must give written consent before their genomic data can be disclosed to a third party. It also requires covered entities to implement safeguards when storing or transmitting PHI, including genomic data.

In relation to electronic data breaches, HIPAA has also instilled the Security Rule, requiring administrative, physical, and technical safeguards relating to electronic protected health information (ePHI). These safeguards include strong passwords for user accounts, ensuring electronic devices used to store ePHI are secured, establishing hacking-prevention software, and making sure that all ePHI transmissions are encrypted before sending information through external channels.



The General Data Protection Regulation (GDPR) is a law designed by the European Union to protect the privacy of its citizens. GDPR applies to any company or organization that collects and processes personal data from EU citizens, including genomic data.

In order to protect genomic data under GDPR, these companies and organizations must abide by three main principles: informed consent, storage limitation, and purpose limitation. Individuals must give explicit consent before collecting or processing any form of personal data, including genomic data. This data then must have a storage limit, typically lasting as long as needed for its intended purpose. Finally, companies can only use personal data for uses that have been outlined in advance by the user. These purposes should also be limited in scope to further protect any data against misuse or inappropriate access.

Although GDPR is the most widely, internationally used data protection law of its kind, similar laws have long been in place in other countries, and several states within the U.S. have introduced and passed data protection legislation as well.


ISO/IEC-27001 is an international standard for information security management systems, helping organizations protect information assets, including genomic data, from outside threats.

ISO/IEC-27001 covers a variety of areas within security management, including risk assessment, security controls, incident management, and compliance. The standard can be used by any type of organization to develop an information security management system (ISMS) catered to their specific needs. For genomic-related companies, this can mean incorporating access controls, encryption, and security audits of its employees and electronic systems.


The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the United States Department of Defense to ensure that those handling controlled unclassified information (CUI) have adequate cybersecurity measures in place. Genomic data is one of the categories that falls under CUI.

CMMC lays the groundwork for the implementation of detailed guidelines to securely handle data as sensitive as genomic data. These guidelines include implementing measures such as access controls, incident response plans, and regular risk assessments. Organizations, additionally, must have policies and procedures in place to make sure genomic data is handled appropriately and protected against unauthorized access and breaches.


Any company that stores and uses personal customer data are responsible for keeping that data safe. Medically associated practices in particular, whether hospitals, research labs, or bioinformatic software such as g.nome®, have the utmost priority of adhering to the laws and rules created to protect personal data from public exposure.

There are, however, circumstances in which genomic data can be released, which can lead to breakthroughs in cold cases or the arrest of a mystery murderer.



On November 13, 2022, four students from the University of Idaho were found murdered in their off-campus home. For over six weeks, law enforcement officials worked to identify a suspect, but only managed to announce that they had linked a car, a white Hyundai Elantra, to the scene.

A break in the case came in late December 2022. The sheath of a knife had been discovered on one of the victim’s beds, leaving behind DNA. The only problem? The DNA found was not a match for anyone within the FBI’s national DNA database. Luckily for law enforcement, and unluckily for the suspect, genetic genealogy and public DNA databases held the answer.

Online genealogy databases have been on the rise in recent years, with the popular gifting of DNA test kits such as 23andMe, AncestryDNA and GEDmatch. Through one of these online databases, authorities were able to link the DNA found on the sheath of the knife to the father of the suspect, which eventually led to the arrest of Bryan Kohberger, a 28-year-old criminology Ph.D. student.


Left: Joseph DeAngelo, the Golden State Killer | Right: Joseph Augustus Zarelli, “America’s Unknown Child”

Genealogical DNA has recently been used to aid in the investigation of multiple crimes. From the conviction of the Golden State Killer to the identification of “America’s Unknown Child”, the recent advancements in DNA technology and genetic testing are becoming regular tools used by law enforcement. But how is it that these law enforcement agencies are gaining access to these databases? These websites offer a privacy policy, mentioning that if an individual selects the “Public Opt-in” option, their DNA can be “compared with kits submitted by law enforcement to identify perpetrators of violent crimes,” according to the GEDmatch website.

When deciding to submit genealogical information to a national database, confirming the company’s privacy policy is a great step to staying out of a criminal investigation or even out of jail.