The Department of Health and Human Services (HHS) needs to do more to protect Americans’ DNA data to keep it out of the hands of foreign adversaries, the Government Accountability Office (GAO) warned in a report issued on April 30.
If Americans’ DNA data was acquired by adversaries, it could enable them to identify and coerce citizens and lead to dependencies on their innovation and drug development, among other national security threats, the Federal watchdog said in its report.
Data stored on genomes – a complete set of all genetic information – is used by HHS and its various research arms such as the National Institutes of Health (NIH) and the Centers for Disease Control and Prevention (CDC) to fund and research medical treatments and genetic diseases.
However, HHS hasn’t taken all of the necessary steps to secure that data, GAO said – despite warnings from the Office of the Director of National Intelligence (ODNI) and other experts on the risks of Americans’ genomic information being collected by foreign governments, such as China.
“According to ODNI, foreign regimes can combine personal health data, including genetic data, with other personal datasets they have collected to build profiles on individuals,” said GAO. “ODNI has identified privacy, economic, intelligence, and military risks associated with foreign governments’ collection of U.S. personal health data, including genomic data.”
The NIH and CDC – who maintain databases of genomic data – already have data management and security measures that they require researchers to follow. For example, GAO said NIH requires researchers to strip data of personal identifiers according to specified regulations, while the CDC and Centers for Medicare and Medicaid Services (CMS) have implemented parallel measures to restrict data access, monitor compliance, and assess national security risks tied to foreign entities.
But NIH hasn’t systematically tracked which researchers inside and outside the agency use genetic services from entities with ties to adversarial counties, and it hasn’t developed or implemented proactive and comprehensive monitoring of researcher compliance with data management and security practices for genomic data in its databases.
GAO added that the CDC hasn’t developed or implemented similar procedures across all its centers that maintain restricted-access repositories.
Between 2018 and 2024, NIH told GAO that it had confirmed 40 violations of its security and data policies. It said that 36 of those involved restricted data, but that no breaches were related to adversarial countries.
“Officials said that NIH reviews institutions’ implementation of these requirements on a case-by-case basis after it has reason to believe there has been a data management incident,” GAO said of NIH auditing for researching compliance with policies.
“Without procedures for proactively and comprehensively monitoring researcher compliance with data management and security requirements for human genomic data, taking into account agency resource limitations, NIH may be missing violations that go unreported by researchers,” GAO added.
Additionally, the HHS Office of National Security (ONS) hasn’t fulfilled its own responsibilities to ensure that lab tests done by companies on human genomes are first vetted by company location and foreign ownership – part of its standard supply chain risk policies that it oversees.
“Because ONS has not developed or shared risk assessment standards or training, operating divisions and HHS leadership are less equipped to apply supply chain risk management to grants, cooperative agreements, and acquisitions related to human genomic information, such as genetic testing for NIH-supported research, where applicable,” said GAO. The watchdog said ONS plans to be able to apply necessary practices by August 2025.
GAO said that HHS ONS should create and share supply chain risk assessment standard training and guidance, while NIH and CDC should systematically track researchers’ use of genetic services from adversarial countries and proactively monitor compliance with data security and management policies.
HHS, NIH, and CDC all agreed with GAO’s recommendations.