On May 15, 2025, a district court in Illinois denied a motion by defendant Hospital Sisters Health System and Saint Francis (HSHS) to dismiss a class action claim brought against the hospital system under the Illinois Genetic Information Privacy Act (GIPA).

GIPA regulates the use, disclosure, and acquisition of genetic information and has adopted the same definition of genetic information as provided in the federal Health Insurance Portability and Accountability Act (HIPAA):

(i) the individual’s genetic tests; (ii) the genetic tests of family members of the individual; (iii) the manifestation of a disease or disorder in family members of such individual; or (iv) any request for, or receipt of, genetic services, or participation in clinical research which includes generic services, by the individual or any family member of the individual.

GIPA prohibits employers from soliciting or requesting genetic testing or genetic information of a person or their family members as a condition of employment. GIPA also prohibits employers from changing the terms, conditions, or privileges of employment or terminating the employment of any person due to a person or their family member’s genetic testing or information.

In this case, the plaintiff filed their complaint in December 2024, which states that the hospital system requires potential employees to submit a pre-employment medical examination that an HSHS employee conducts. This examination allegedly entails job applicants being required to disclose information concerning their family medical histories. The plaintiff alleges that she was a job applicant with HSHS and that she, too, was required to submit a medical examination that asked questions about her family’s medical history. These questions reportedly included inquiries on family history of heart disease, asthma, or psychological conditions in the plaintiff’s family. 

In its motion to dismiss filed in February 2025, HSHS argued that the generic family medical history questions included in its medical examination are routine medical questions that do not constitute genetic information as protected by GIPA. The court was unconvinced, holding that “these questions involved[d] a clear report of the manifestation of a disease or disorder in a family which is clearly specified in GIPA through its adaptation of HIPAA’s definitions.” In addition, to support its holding, the court noted that the federal Genetic Information Nondiscrimination Act (GINA), which is also incorporated into GIPA, defines the term “family medical history” as “information about the manifestation of disease or disorder” in family members.

Though GIPA litigation has not yet risen to the level of litigation regarding Illinois’ Biometric Information Privacy Act (BIPA), several courts in 2024 have noted that GIPA should apply broadly. In Taylor v. Union Pacific Railroad Co., No. 23-CV-16404, 2024 WL 3425751, (N.D. Ill. July 16, 2024), the court held that GIPA plaintiffs have lenient standing requirements, concluding that BIPA’s definition of “aggrieved persons” – which encompasses individuals who sustained no actual injury beyond a violation of their rights under the statute – applies to GIPA, as well. In McKnight v. United Airlines, Inc., No. 23-CV-16118, 2024 WL 3426807, at *1 (N.D. Ill. July 16, 2024), the court found that individuals outside of Illinois may nonetheless initiate GIPA litigation if the underlying activity “occurred primarily substantially in Illinois” and that GIPA has a five-year statute of limitations.

Employers with ties to Illinois should note that GIPA may apply to them. Any questions about a job applicant’s family medical history may be considered genetic information under the act—even if these questions are intended to be routine health inquiries—and could give rise to a GIPA claim. Pre-employment exams should be structured carefully to avoid running afoul of GIPA and potential class action risks.

Genetic testing company 23andMe has filed for Chapter 11 bankruptcy protection, and its CEO has resigned. It is seeking to sell “substantially all of its assets” through a reorganization plan that will have to be approved by a federal bankruptcy judge.

Mark Jensen, Chair and member of the Special Committee of the Board of Directors stated: “We are committed to continuing to safeguard customer data and being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction.” The company has also stated that the buyer must comply with applicable law in using the data.

That said, privacy professionals are concerned about the sale of the data in 23andMe’s possession, including the sensitive genetic information of over 15 million people. People often assume that the information is protected by HIPAA or the Genetic Information Nondiscrimination Act, but as my students know, neither applies to genetic information collected and used by a private company. State laws may apply, and consumers could be offered  the ability to request the deletion of their data.

The company has said that customers can delete their data and terminate their accounts. The California Attorney General “urgently” suggests that consumers request the deletion of their data and destruction of the genetic materials in its possession and offers a step-by-step guide on how to do so.

Apparently, so many people have followed the suggestion that the 23andMe website crashed. The site is now back up and running, so 23andMe customers may wish to log in and request the deletion of their data and termination of their accounts.

Montana Governor Greg Gianforte has signed SB 351, the Genetic Information Privacy Act (GINA), which “requires an entity to provide consumer information regarding the collection, use, and disclosure of genetic data; providing for limitations and exclusions; providing for enforcement authority; and providing definitions.”

GINA requires entities that collect genetic data, defined as:

any data, regardless of format, concerning a consumer’s genetic characteristics, which includes but is not limited to:

(i) raw sequence data that result from sequencing all or a portion of a consumer’s extracted DNA;

(ii) genotypic and phenotypic information obtained from analyzing a consumer’s raw sequence data; and

(iii) self-reported health information regarding a consumer’s health conditions that the consumer provides to an entity that the entity:

      (A) uses for scientific research or product development; and

      (B) analyzes in connection with the consumer’s raw sequence data.

GINA applies to any entity that offers consumer genetic testing products or services (like 23andMe and Ancestry.com) directly to a consumer, or collects, uses, or analyzes genetic data. It does not apply to genetic testing that is covered by HIPAA, which would include genetic testing done through a physician or hospital.

GINA requires covered entities to provide clear notice to consumers about the collection, use and disclosure of their genetic information through their privacy policy and to obtain “express consent” from the consumer for the collection, use, and disclosure of the genetic data. Separate informed consent is required for the disclosure of genetic data to a third party.

The new law codifies basic notice and consent ideals for the collection of sensitive data from consumers that consumers may mistakenly believe HIPAA applies to genetic information. (See previous Privacy Tip on disclosure of genetic information). This emphasizes how important reading an entity’s website privacy policy is before you send a swab to a genetic testing company. GINA gives the Montana Attorney General jurisdiction to enforce violations of the law, including actual damages to a consumer, attorney’s fees, and costs and up to $2500 per violation.

Governor Mark Gordon signed the Wyoming Genetic Data Privacy Act into law on March 8, 2022. The law goes into effect on July 1, 2022.

The Genetic Data Privacy Act requires any business that collects genetic data from individuals to: (1) provide transparent information to consumers about the collection, use, and disclosure of genetic data before collecting it and (2) obtain express consent from an individual before collecting the genetic data. The Act also includes strict prohibitions on how the genetic data can be disclosed and retained. The law does not apply to covered entities or business associates collecting protected health information under HIPAA.

The law provides consumers with the statutory right to request deletion of the data when they are no longer being used or needed for the purpose for which they were collected. It also provides consumers with a private right of action to seek damages from anyone who violates the Act.

The Attorney General of Wyoming has jurisdiction to enforce the law, which carries penalties of up to $2,500 for each violation, actual damages for consumers who have been harmed, and attorneys’ fees and costs.

I have written about genetic testing kits before, but this subject matter is worth repeating. I find that people don’t always understand the consequences of sending a swab to a genetic testing company.  Consumer Reports recently came out with a study led by its Digital Lab experts entitled “The Privacy Problems of Direct-to-Consumer Genetic Testing” which prompted me to revisit this as a Privacy Tip.

This is always a fun topic during my Privacy Law class, and students are often shocked when we discuss the laws that apply—or, don’t apply—to this highly sensitive information.

That said, whatever you decide to do with that genetic testing kit you got for Christmas is your own personal decision. However, before you send it in, you may wish to read the genetic testing company’s privacy policy and the Consumer Reports Digital Lab experts’ report linked above. You may also wish to take into consideration your family members’ privacy, because when you submit your own genetic makeup to a private company, you are also submitting part of the genetic makeup of your whole family, as their information is part of your swab.

Everyone knows how I feel about those home genetic testing kits—most people don’t understand that when they send their DNA to a private company that it is not protected by HIPAA or any other law, and the company can legally use and disclose it, including selling it to other companies. Understand what companies are doing with your genetic data and DNA before you just pop it to them in the mail. 

With that said, this week, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a warning (Alert) to the public about a fraud scheme involving genetic testing. 

According to the Alert, “Scammers are offering Medicare beneficiaries ‘free’ screening or cheek swabs for genetic testing to obtain their Medicare information for identity theft or fraudulent billing purposes. Fraudsters are targeting beneficiaries through telemarketing calls, booths at public events, health fairs, and door-to-door visits.”

It is disturbing that fraudsters continue to prey on our seniors, and this is just another scam targeting them.

The Alert says that if a person agrees to genetic testing, that individual is asked to confirm his or her Medicare information, and receives a cheek swab, an in-person test, or a testing kit in the mail. These tests have not been ordered by a physician and have not been determined to be medically necessary.

The fraudsters then submit a claim with Medicare for reimbursement, and when it is denied, the beneficiary is responsible to pay for it, “which could be thousands of dollars.”

The Alert gives ways you can protect yourself, including:

  • If a genetic testing kit is mailed to you, don’t accept it unless it was ordered by your physician. Refuse the delivery or return it to the sender. Keep a record of the sender’s name and the date you returned the items.
  • Be suspicious of anyone who offers you “free” genetic testing and then requests your Medicare number. If your personal information is compromised, it may be used in other fraud schemes.
  • A physician that you know and trust should assess your condition and approve any requests for genetic testing.
  • Medicare beneficiaries should be cautious of unsolicited requests for their Medicare numbers. If anyone other than your physician’s office requests your Medicare information, do not provide it.
  • If you suspect Medicare fraud, contact the HHS OIG Hotline.

Please pass this along to the seniors in your life to help protect them from this fraud.

On June 3, 2019, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued a fraud alert to notify consumers about genetic testing fraud schemes (the Alert). According to the OIG, fraudulent actors are using the provision of free genetic testing kits to obtain Medicare information from unwitting consumers, and then using the stolen information for purposes of fraudulent billing and/or identity theft.

In the Alert, OIG advises consumers to protect themselves by:

  • Not accepting mailed genetic testing kits unless ordered by a physician;
  • Closely scrutinizing any request for Medicare information tied to the offer of free genetic testing;
  • Verifying that your physician approves any requests for genetic testing; and
  • Not providing Medicare information to anyone other than a provider’s office.

That the OIG felt compelled to issue the Alert indicates its level of concern with fraudulent scams perpetrated under the guise of free genetic testing. It is not surprising that as genetic testing advances and the options for such testing proliferate, scammers are seeking to take advantage. The Alert therefore provides a welcome reminder to consumers to closely guard Medicare and other personal information. Health care providers and plans would be well-advised to review the Alert and notify their patients about the rising incidence of this scheme.

 

 

The deservedly well-publicized arrest of the Golden State Killer last fall was a coup for law enforcement, and a marvelous use of modern technology. Sequencing the DNA profile of material left by the killer at a crime scene 40 years ago, then scouring publicly available databases for a genetic match, and ultimately making the arrest were strokes of genius by all parties involved.

The question is not “should police have done this?” Of course, yes! Instead, the larger question is two-fold: do people know that their DNA information is going to be shared with government entities, and separately, how are we going to regulate public and private actors seeking to make use of the DNA information currently held by private companies?

To the first question, it should be noted that most DNA databases are (seemingly) transparent with users about how their information could be used. It is both a good business practice and a sound legal strategy to put this information front and center, allowing users to opt IN to the things they want to participate in (including use by law enforcement, medical researchers, genealogists, and the like) as opposed to forcing them to opt OUT of the things that they don’t want be involved with. Yet even when this is executed perfectly and upheld honestly, it remains a thorny issue- a single user agreeing to participate in any use of their genetic data is making that choice not only for himself/herself, but also making that choice for their entire family, and often without their knowledge or consent.

As to the second question, it largely remains to be seen how this will be regulated. It would be nice to believe that use of the massive libraries of genetic information in existence will only ever be used for altruistic purposes, such as catching serial killers or curing diseases. But a failure to acknowledge the potential for misuse would be naïve in the worst of ways, and the fact that we have allowed the industry to get so far ahead of the law is cause for major concern. The only law of note currently in place. The Genetic Information Non-Discrimination Act, or (GINA) is far too narrow in scope to be a source of comfort; beyond that, the world relies merely on the hope that these companies will act responsibly. And as the FamilyTreeDNA scandal this week has revealed, that hope can be all too easily betrayed.

This post was authored by Kyle Prigmore, candidate juris doctor, Roger Williams University School of Law. Kyle is not yet admitted to practice law.

I had very interesting conversations with both of my classes in the last week over the sharing of genetic information in the context of learning about the Genetic Information Non-Discrimination Act (GINA). GINA generally prohibits employers and insurers from using genetic information to discriminate in employment or insurance underwriting.

People mistaken believe that GINA protects the privacy of all genetic information. But it doesn’t. It only applies in very specific instances. When individuals take a swab from the inside of their mouth and send it to private companies for analysis to determine their ancestry or genetic predisposition, they are sending their DNA to a company that is not regulated like a doctor’s office or hospital. If an individual gets DNA testing at a doctor’s office or hospital, the doctor or hospital can perform the analysis, but then has very specific legal requirements on what they cannot do with the information, including disclose it to others or sell it.

Before you send that swab to a private company, take a look at their Privacy Policy so you are fully informed about what they are doing with the information, to who they are disclosing it, and to whom they are selling it. Try to determine how they can aggregate your genetic information with other information and if it can be disclosed to your life insurer, employer or law enforcement.

Here are some interesting articles to consider before you send that swab:

https://apple.news/A6vDj8z7GQFe6psTEYRZGTw

https://www.bloomberg.com/news/articles/2019-02-01/major-dna-testing-company-is-sharing-genetic-data-with-the-fbi

https://www.gsk.com/en-gb/media/press-releases/gsk-and-23andme-sign-agreement-to-leverage-genetic-insights-for-the-development-of-novel-medicines/

And you may wish to discuss this decision with the rest of your family, because when you send your genetic information to these companies, you are in effect sending your entire family’s as well without their consent.

House bill HR 1313, introduced by Representative Virginia Foxx (R-N.C.), proposes to allow companies to require employees to undergo genetic testing, then allow employers to see the results, and impose financial penalties on any employees who request to opt out of the requirement.

The bill, which was before the House Committee on Education and the Workforce, was supported by all 22 Republicans and opposed by all 17 Democrats on the Committee.

Those in support of the bill state that the legislation would give employers the ability to offer wellness plans and promote a healthy workforce and lower health care costs.

Critics say the bill would eviscerate the Genetic Information Non-Discrimination Act (GINA) and the Americans with Disabilities Act (ADA) which specifically prohibit employers from asking for, accessing or using genetic information for certain actions that are considered discriminatory.

We will be watching this bill closely.