Latanya Sweeney, director of the Data Privacy Lab at Harvard, has been researching the issue of de-anonymization or re-identification of data for years. In 1998, she explained how a former governor of Massachusetts had his full medical record re-identified by cross-referencing Census information with de-identified health data. Sweeney also found that, with birth date alone, 12 percent of a population of voters can be re-identified. With birth date and gender, that number increases to 29 percent, and with birth date and zip code it increases to 69 percent. In 2000, Sweeney found that 87 percent of the U.S. population could be identified with birth date, gender and zip code. She used 1990 Census data.  In 2011, her research reported on the dangers that can arise from the re-identification of “anonymized” medical data, and her advocacy of a “privacy-preserving marketplace” for data.

Now, Forbes reports, a group led by Sweeney has been able to re-identify “more than 40% of a sample of anonymous participants in a high-profile DNA study.”

From the onset, the Personal Genome Project, set up by Harvard Medical School Professor of Genetics George Church, has warned participants of the risk that someone someday could identify them, meaning anyone could look up the intimate medical histories that many have posted along with their genome data. That day arrived on Thursday. Read more »

A couple of years ago, when Rebecca Skloot published a book about the fascinating story of Henrietta Lacks, her cervical cancer and what researchers did with it, news articles raised questions about the privacy of a person’s medical data and what rights a person has to their own tissue. Now, Skloot updates the story in an opinion column for the New York Times — and, now, there are even more genetic privacy questions:

LAST week, scientists sequenced the genome of cells taken without consent from a woman named Henrietta Lacks. She was a black tobacco farmer and mother of five, and though she died in 1951, her cells, code-named HeLa, live on. They were used to help develop our most important vaccines and cancer medications, in vitro fertilization, gene mapping, cloning. Now they may finally help create laws to protect her family’s privacy — and yours.

 The family has been through a lot with HeLa: they didn’t learn of the cells until 20 years after Lacks’s death, when scientists began using her children in research without their knowledge. Later their medical records were released to the press and published without consent. Because I wrote a book about Henrietta Lacks and her family, my in-box exploded when news of the genome broke. People wanted to know: did scientists get the family’s permission to publish her genetic information? The answer is no. [...]

The New York Daily News reports on a bill introduced by N.Y. Assemblyman Daniel J. O’Donnell (D-Manhattan) concerning the privacy of student data. The bill, A06059 (Assembly html; archive pdf), seeks to prohibit the release of personally identifiable student information without either parental consent or, “in the case of students eighteen years of age or older the consent of the student.” The bill does include exceptions for disclosures required by law, a court order or warrant, or a contract with a third party but the contract must meet certain requirements. The bill includes biometric data — such as fingerprints, retina and iris patterns, DNA, facial characteristics and handwriting — as “personally identifiable student information.” The bill also includes disclosure requirements for “the department, district board of education or school” that shares the student data with other parties.

The bill comes after the Daily News reported that, “In an unprecedented move, education officials will hand over personal student data to a new private company to create a national database for businesses that contract with public schools. Working with the city, state education officials are already uploading private information about students — their names, addresses, test scores, learning disabilities, attendance and disciplinary records — into a $100 million database called inBloom.” Although “Officials vowed they would comply with a federal law, the Family Educational Rights and Privacy Act, which requires that the confidential information be protected,” there are protests from parents as well as student and privacy advocates.

ABC News reports that the U.S. Supreme Court will hear arguments on a case concerning genetic privacy:

The Supreme Court will revisit the crossroad of privacy and evolving science later this month when it considers whether officials can take the DNA — without a warrant — of someone who has been arrested but not convicted of a crime.

While all states require DNA from individuals convicted of a felony, the federal government and 28 states also require DNA collection and analysis from at least some arrestees.

Alonzo Jay King Jr, claims his constitutional rights were violated when he was arrested in 2009 for assault. At the time of his arrest, pursuant to Maryland’s DNA Collection Act, officials swabbed his cheek and collected his DNA without a warrant.

His 2009 sample was later matched in a state database to DNA from a 2003 rape case. It was a cold case involving a 53-year-old female victim identified as “Vonette W.” in Maryland. Based on the new evidence, King was eventually charged with the 2003 rape and robbery. He is currently serving a life sentence. Read more »

The Department of Health and Human Services announced that it has released a final omnibus rule (pdf) for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The agency said:

“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius.  “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”

The changes in the final rulemaking provide the public with increased protection and control of personal health information.  The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims.  The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. Read more »

The New York Times reports on medical privacy issues connected with DNA research:

The genetic data posted online seemed perfectly anonymous — strings of billions of DNA letters from more than 1,000 people. But all it took was some clever sleuthing on the Web for a genetics researcher to identify five people he randomly selected from the study group. Not only that, he found their entire families, even though the relatives had no part in the study — identifying nearly 50 people.

The researcher did not reveal the names of the people he found, but the exercise, published Thursday in the journal Science, illustrates the difficulty of protecting the privacy of volunteers involved in medical research when the genetic information they provide needs to be public so scientists can use it.

Other reports have identified people whose genetic data was online, but none had done so using such limited information: the long strings of DNA letters, an age and, because the study focused on only American subjects, a state. [...] Read more »