• GAO report warns HHS needs to bolster protection of Americans' DNA data from foreign adversaries.
• HHS hasn't taken necessary steps to secure genomic data, despite warnings from ODNI about foreign collection risks.
• GAO recommends HHS, NIH, and CDC improve monitoring, track foreign genetic service use, and enhance supply chain risk management.

The Government Accountability Office (GAO) released a report on April 30, 2025, highlighting critical vulnerabilities in the Department of Health and Human Services' (HHS) protection of Americans' DNA data. The report warns that foreign adversaries could exploit unsecured genomic information to identify and coerce citizens, as well as gain undue influence over innovation and drug development. The GAO's findings underscore the urgent need for HHS, along with its research arms like the National Institutes of Health (NIH) and the Centers for Disease Control and Prevention (CDC), to strengthen data security measures and proactively monitor researcher compliance.

• What: The GAO report reveals that HHS needs to improve the protection of Americans' DNA data to prevent it from falling into the hands of foreign adversaries. This includes better monitoring of researchers, tracking the use of foreign genetic services, and improving supply chain risk management.
• Who: The key entities involved are the Department of Health and Human Services (HHS), the Government Accountability Office (GAO), the National Institutes of Health (NIH), the Centers for Disease Control and Prevention (CDC), the Office of the Director of National Intelligence (ODNI), and the HHS Office of National Security (ONS).
• When: The GAO report was issued on April 30, 2025. NIH confirmed data security violations between 2018 and 2024. HHS ONS plans to implement necessary practices by August 2025.
• Where: The data security concerns relate to data stored on genomes within the United States, specifically data managed by HHS, NIH, and CDC.

The GAO report highlights a significant vulnerability in the protection of sensitive genetic information. The lack of proactive monitoring by NIH and CDC, coupled with the HHS ONS's delay in implementing supply chain risk management practices, creates opportunities for foreign adversaries to access and misuse Americans' DNA data. The economic, intelligence, and military risks associated with such data collection are substantial, necessitating immediate and comprehensive action by HHS and its agencies.

According to ODNI, foreign regimes can combine personal health data, including genetic data, with other personal datasets they have collected to build profiles on individuals.

Officials said that NIH reviews institutions’ implementation of these requirements on a case-by-case basis after it has reason to believe there has been a data management incident.

The GAO's report underscores the urgent need for HHS to bolster its protection of Americans' DNA data. The recommendations for proactive monitoring, improved tracking of foreign genetic service use, and enhanced supply chain risk management are crucial steps to mitigating the risks posed by foreign adversaries. While HHS, NIH, and CDC have agreed with the GAO's recommendations, the effectiveness of their implementation remains to be seen. Ongoing vigilance and proactive measures are essential to safeguard this sensitive information.