Your Health Information was Hacked. What Can You Do?
In October 2023, a hacker got access to user accounts with genetic testing service 23andMe. Fourteen thousand accounts were compromised – only 0.1% of their fourteen million users. But in early December, the company revealed that the 23andMe hack affected more people than anyone expected. Even though the hacker accessed only 14,000 accounts, they used those compromised accounts to get access to the data of nearly 7 million people.
If your private health information was exposed by the 23andMe hack, it’s important to know what steps to take. And even if you’re not a 23andMe user, hackers and phishers are also targeting other health companies and organizations. If a hack or breach compromises your health data, you need to take steps to protect it. This article will tell you more about this specific hack. But you can use these steps any time your health information is exposed.
The Details of the 23andMe Hack
The world first found out about the 23andMe hack in October 2023, when an anonymous hacker posted the information they gained for sale online. They claimed it was “millions” of genetic profiles from 23andMe accounts. The data included email addresses, locations, genders, birthdays, and DNA ancestry and health information.
23andMe investigated and said that the hacker only accessed 14,000 accounts – an extremely small percentage of their users. They also determined that the hacker did not actually compromise any of their systems. Instead, they got in through a type of attack called “credential stuffing.” They took usernames and passwords exposed in data breaches from one site and try them on a bunch of other sites. If you use the same password on multiple sites, credential stuffing can let a hacker in. That’s exactly what happened with the 23andMe hack.
23andMe has a feature that lets you share information with people you’re genetically related to, whether or not you’ve met them. That information can include your name, location, genetic ancestry, and some health information, like your genetic predisposition to certain diseases. Even though the hacker only got access to 14,000 accounts, they were able to use those accounts and the information sharing feature to get data from 6.9 million people.
Data Breaches and the Risks of Exposed Health Information
Data breaches happen all the time, to all kinds of companies. In a data breach, someone hacks or otherwise compromises a company you have given your information to. The culprit can then publicly expose your information, take it to use themselves, or sell it to other criminals. This is a shortened explanation – for more details, see this article about data breaches. You can also check if your accounts have been compromised with our Data Breach Check.
Having your information exposed in a data breach has many risks. If the breach exposes your password, a criminal could take over your account or use credential stuffing to access any account where you reused that password. Scammers could use your information to target you with scams you’re more likely to fall for. And if it exposes information like your Social Security Number, they could steal your identity.
If the breached data includes your health or medical information, there are additional dangers. It’s common for health information to also include identity information, which puts you at risk of medical identity theft or health insurance fraud. If the breach reveals the information publicly, you could also be discriminated against. The 2008 Genetic Information Nondiscrimination Act (GINA) prevents employers and health insurance companies from using your genetic information to discriminate against you. So you can’t be denied employment or charged higher health insurance rates if your DNA shows you’re at risk of developing a debilitating condition, for example. But life insurance and disability insurance have no such restrictions. They are free to raise your rates or deny you coverage based on your exposed genetic information.
What to Do if Your Health Information is Exposed
Hackers are targeting all sorts of companies and organizations, including hospital systems and those that have your health data. This information doesn’t just apply to the 23andMe hack. If there is a breach in a medical company you work with or your health information was exposed in any way, follow these steps. Unfortunately, it’s almost impossible to fully regain control of any information exposed in a breach, health-related or not. But you can take action to reduce the damage.
Find Out if It Affected You
If you hear about a breach, start by finding out if it affected you. For data protected by the United States’ HIPAA privacy rules, for example, the breached organization must notify you within 60 days of learning about the breach and tell you what steps you can take to protect your data.
Unfortunately, not every company that has your health data is covered by HIPAA. In those cases, they have to notify you that it compromised your data, but they don’t have to tell you how to protect yourself. In the case of the 23andMe hack, the company has said they are notifying everyone affected, but they didn’t give a time frame. If you hear about a breach in a company that has your data, it’s never a bad idea to take action, even if you haven’t (yet) been notified that it affected you.
Reset Your Passwords
Since the 23andMe hack was caused by password reuse, 23andMe is requiring all their users to reset their passwords. But it’s always a great idea to reset your passwords after a breach regardless. Choose a strong password – one that’s long and random. Also make sure it’s a completely unique password that you haven’t used on any other site. People reusing passwords is how the hackers got in 23andMe’s systems in the first place. If you don’t want to have to remember long, unique, random passwords for every site, consider getting a password manager. Not only will you not have to remember all those passwords, most password managers will generate long, strong, random passwords for you at the press of a button.
If you are someone who still reuses passwords, a breach or compromise means it’s time to change them all. Change your password on each site where you reused it. And make sure each one is different when you change it – making them all the same again defeats the purpose. And again, if you don’t want to put in the effort to memorize all these new passwords, a password manager can help.
Monitor Your Medical Data
If a hack or breach affected your health or medical information, immediately get a copy of your accurate medical records for reference. Then watch for signs that someone is using your medical data fraudulently. This could be bills for care you didn’t receive, errors in the Explanation of Benefits (EOB) statements you get from your health insurance, or notices claiming you’ve reached your benefit limit. You should also watch for suspicious or unauthorized transactions on financial accounts like HSAs or FSAs.
If you find any errors or suspicious signs, report them in writing. Send both your health insurance and the relevant healthcare provider a copy of your accurate medical records and a written explanation of why the error is wrong or the bill is suspicious. For financial accounts, speak to the institution managing the account about their fraudulent charge process. If you use Medicare or Medicaid, you can also report fraud to the US Department of Health and Human Services Office of the Inspector General.
Watch for Identity Theft
The 23andMe hack did expose genetic and health information, but it also exposed personal information. This is common with any data breach, including ones that expose health data. And when it exposes personal information, criminals can seize the opportunity to steal your identity. Whenever a data breach affects your information, it’s essential to be on the lookout for signs of identity theft.
Monitor your credit report for new accounts you didn’t open. Also watch your existing accounts for charges you didn’t authorize and money being spent that you didn’t spend. Report anything suspicious or unauthorized to the credit bureaus or your bank or financial institution. For extra safety, consider freezing your credit altogether. You will have to un-freeze it next time you want to apply for credit, but it will prevent anyone from opening new accounts in your name.
How to Protect Your Data Going Forward
For most of us, breaches or hacks have already exposed at least some of our information at some point. But if your health data is still private for now, there are steps you can take to keep it safer and reduce the risks of future breaches. Even if your health data has already been breached, you can still use these steps to keep it safer in the future.
Secure Your Accounts
If you’ve read to this point in the article, we hope we’ve convinced you of the importance of long, strong, random, unique passwords. After all, the 23andMe hack wouldn’t have happened if users hadn’t reused their passwords. We may one day move to an internet that doesn’t require passwords to secure our accounts. But in the meantime, one of the best things you can do to keep hackers out of your accounts is to use secure passwords. And no matter how strong, never re-use them!
The other best thing you can do to secure your accounts is to turn on two-factor authentication. Two-factor authentication (2FA), sometimes called multi-factor authentication (MFA), requires both a password and a separate, unique code to log into your account. With 2FA, even a hacker who has your password will have to do a lot more work to get in. Many health companies have 2FA available as an option, and if they do, turn it on! If they don’t, request it. In a world where simple attacks like credential stuffing can lead to huge breaches like the 23andMe hack, if they don’t have 2FA as an option, they are behind the times.
Don’t Share Your Info
A great way to keep your information safe is to not share it in the first place. Consider what data you share and with whom. You may find that people, apps, and companies ask you for a lot more information than you really need to give to get what you need.
Whether it’s a genetic testing service, a wellness app, or your doctor’s office, think about if they really need that information. Do they really need all the information they’re asking for? Is this piece of data essential to getting the care you need? Should you really be sharing your full medical record with this organization? Sometimes, the answer is yes. Providing a family medical history to your dermatologist may be an important part of assessing your risk of skin cancer. But do they need the results of your last depression screening questionnaire? Probably not. If in doubt, ask. If they can’t give you a reason why not having this information will prevent them from giving you the care you need, don’t share it.
Compartmentalize Your Health Data
Another way to reduce the danger of health information breaches is compartmentalization. Compartmentalizing separates your health data from the rest of your personal data. You can create a specific email address that you only use for health and medical things. You can also opt out of sharing location data, contacts, or other information with healthcare and wellness websites and apps.
Compartmentalization helps keep you safer if a criminal gets your information. If you have successfully used compartmentalization to keep your health information separate from the rest of your online profile, it will be much harder for criminals to use it.
Request Data Deletion
In some cases, you can request companies delete your information from their databases. If the company no longer has your data, it can’t be exposed in a future breach. However, it’s important to read the fine print. Many people want to delete their 23andMe data after the 23andMe hack, and the company offers that option. You can request it from the Account Settings menu. It will permanently delete your account, stop using your information in research studies, and destroy any genetic sample they have on file. However, they will hold onto your genetic info, date of birth, and sex. It won’t be tied to your name anymore, but in some cases it has enough information to re-identify it as your data.
Laws and your “right to be deleted” vary depending on where you live. If you’re an EU citizen or live in a state with comprehensive privacy laws, companies are required to delete your information if you request it. It’s important to check your local laws and see what rights you have and how much companies are required to delete if you ask.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
A Cybersecurity Framework for Protecting What Matters
The world of online threats is ever-changing. Sophisticated phishing, AI-powered attacks, and more are making it ever…
[Read More]There’s No Such Thing as a Safe Account
You get a call from your bank’s fraud department. There’s been fraud on your account – a…
[Read More]What to Do if a Loved One Lost Money to a Scammer
Scams and scammers are everywhere. Even if you haven’t personally been caught in a scam, you probably…
[Read More]Identity Crimes: Impact and Recovery
It’s not just identity theft anymore. Criminals have expanded to a whole range of identity crimes. And…
[Read More]How to Set (and Achieve) Good New Year Resolutions
It’s the time of year when people start thinking about New Year resolutions and making changes in…
[Read More]ALERT: Protect Your Email Account Like You Protect Your Front Door
Once email addresses fall into the wrong hands, there’s a greater chance the criminals might work on...
[Read More]