U.S. Intelligence Community Warns About China Collecting Healthcare Data
China's voracious collection of U.S. healthcare data, including DNA, can pose a national security risk, not to mention harm the privacy of Americans.
A leading U.S. counterintelligence agency this week is reiterating the dangers associated with China's efforts around gathering U.S. genomic and healthcare data.
A fact sheet released this week (.PDF) via the National Counterintelligence and Security Center – part of the Office of the Director of National Intelligence (ODNI) – echoes sentiments made by its former NCSC Director William Evanina on 60 Minutes over the weekend.
"Would you want your DNA or other healthcare data going to an authoritarian regime with a record of exploiting DNA for repression and surveillance?” the NCSC asks in the report issued Monday. "The PRC’s collection of healthcare data from America poses equally serious risks, not only to the privacy of Americans, but also to the economic and national security of the U.S.”
In a conversation with 60 Minutes’ Jon Wertheim on Sunday, Evanina, who stepped down last month after six years as the director of the NCSC - dropped a key figure to illustrate the reach of the People's Republic of China (PRC) when it comes to healthcare data collection: China may have already stolen the personal data of 80 percent of U.S. adults.
For those unfamiliar with data theft campaigns originating in China, the report glosses over projects recently launched by China in order to advance its position in the field of medicine and technology. It highlights the importance of healthcare data, namely DNA, and recent moves by China to gain access to the healthcare data, including genomic data, of U.S. citizens.
These efforts have quickly ramped up over the past year in the wake of the COVID-19 pandemic; the report specifically cites actions carried out by BGI, a Chinese biotech group that’s made strides in the field of genomic sequencing while securing access to U.S. health records and genetic data in the process.
While the 80 percent figure may sound staggering, it’s not inconceivable.
Efforts by BGI aside, the PRC already has a hefty stockpile of data on U.S. citizens thanks to a number of hacks attributed to China over the years, including personally identifiable information its siphoned from the U.S. Office of Personnel Management, the hotel chain Marriott, the credit reporting agency Equifax, and health insurance giant Anthem.
Altogether, that's information on roughly 644 million individuals - not all of them were Americans - more than double the U.S. population.
The NCSC report follows up an advisory via the U.S. Department of Homeland Security last month in which the agency warned about the risks of PRC government-sponsored data theft. As the NCSC and DHS notes in its guidance, laws on the book in China, including the PRC Data Security can also compel Chinese firms to share data they may have collected with the government, widening the scope for data collection.
The NCSC says the PRC has been able to access U.S. healthcare data largely because the country has fewer safeguards when it comes to medical and healthcare data, including when data is used for research.
"U.S. safeguards focus primarily on privacy, not national security, which creates a vulnerability for foreign actors to gain access to data on U.S. persons."
The report underscores the importance of keeping healthcare data, especially DNA, secure.
As the NCSC advisory notes, failing to do so can ultimately have an effect on the country’s national security, either by allowing China to outpace U.S. firms when it comes to innovation or severely disadvantaging them financially. As Edward You, an FBI Investigator interviewed in the 60 Minutes piece puts it, whoever controls the data, controls the future of healthcare.
The NCSC notice comes about a year after the Pentagon warned members of the military to be cognizant of the risks of consumer at-home DNA kits like 23andMe and Ancestry.com. A memo issued by the Joseph D. Kernan, the undersecretary of defense for intelligence, last month stressed that exposing DNA belonging to service members to outside parties could pose an operational risk and to refrain from purchasing them.