Some 6.9 million 23andMe customers had their data compromised after an anonymous hacker accessed user profiles and posted them for sale on the internet earlier this year, the company said on Monday.
The compromised data included users’ ancestry information as well as, for some users, health-related information based on their genetic profiles, the company said in an email.
Privacy advocates have long warned that sharing DNA with testing companies like 23andMe and Ancestry makes consumers vulnerable to the exposure of sensitive genetic information that can reveal health risks of individuals and those who are related to them.
Read More: DNA Testing Kits Are on Everyone’s Holiday List. 5 Things to Know If You Get One
In the case of the 23andMe breach, the hacker only directly accessed about 14,000 of 23andMe’s 14 million customers, or 0.1%. But on 23andMe, many users choose to share information with people they’re genetically related to — which can include distant cousins they have never met, in addition to direct family members — in order to learn more about their own genetics and build out their family trees. So through those 14,000 accounts, the hacker was able to access information about millions more. A much smaller subset of customers had health data accessed.
Users can choose whether to share different kinds of data, including name, location, ancestry and health information such as genetic predisposition to conditions such as asthma, anxiety, high-blood pressure and macular degeneration.
The exposure of such information could have concerning ramifications. In the U.S., health information is typically protected by what’s known as the Health Insurance Portability and Accountability Act, or HIPAA. But such protections only apply to health-care providers.
The 2008 Genetic Information Nondiscrimination Act (GINA), protects against discrimination in employment and health insurance should information from a DNA test make it out into the wild. This aims to protect individuals from being denied a job or insurance coverage if, for example, a DNA test reveals they are at risk of eventually developing a debilitating condition.
But the law has loopholes; both life insurers and disability insurers, for example, are free to deny people policies based on their genetic information.
There have been other high-profile hacks of DNA testing companies. But 23andMe is the first breach of a major company in which the exposure of health information was publicly disclosed. (The Federal Trade Commission recently ordered a smaller firm, Vitagene, to strengthen protections after health information was exposed.)
The hacker appeared to use what’s known as credential stuffing to access customer accounts, logging into individual 23andMe accounts by using passwords that had been recycled and used for other websites that were previously hacked. The company said there was no evidence of a breach within its own systems.
Since the hack, the company announced that it will require two-factor authentication in order to protect against credential-stuffing attacks on the site. It has said it expects to incur $1 million to $2 million in costs related to the breach.