Human Genomic Data: HHS Could Better Track Use of Foreign Testing Entities and Strengthen Oversight of Security Measures

Fast Facts

Research on the human genome—the complete set of a person's DNA—has led to better health care and has many potential benefits. The Department of Health and Human Services has led key research, including a project to create a repository of the genomes of 1 million Americans. Its policy is to responsibly share such data with researchers.

But intelligence agencies warn that misuse of U.S. genomic data could threaten national security. For example, foreign countries could use the data to identify and coerce individuals.

HHS doesn't systematically track the use of foreign testing labs or fully oversee data security—which we recommended addressing.

Highlights

What GAO Found

A genome is the complete set of an organism's genes—all the information needed to build and maintain an organism (human or nonhuman) throughout its life. Genetic testing of a person's genome has multiple uses, such as diagnosing disease and identifying gene changes that may increase the risk of disease or that could be passed on to children. Within the Department of Health and Human Services (HHS), the National Institutes of Health (NIH) funds genomic research, the Centers for Disease Control and Prevention (CDC) conducts genomic research, and the Centers for Medicare & Medicaid Services (CMS) pays for medically appropriate genetic testing. In addition, NIH and CDC have repositories for researchers to collect and store genomic data for future research.

Foreign regimes in certain countries of concern pose risks to Americans' genomic data, according to the Office of the Director of National Intelligence (ODNI), other federal agencies, and selected experts, but HHS has not fully implemented mitigation measures. In 2021 and 2022, ODNI issued public warnings on the economic, intelligence, privacy, and military risks of Americans' genomic information being collected by foreign governments, noting China as having the motivation and capability to collect such information (see figure).

HHS officials described strategies to mitigate risks to genomic data through existing efforts, including the agency's policy to safeguard the acquisition of mission-critical products, materials, and services that it uses or funds through certain awards, including research grants. However, the HHS Office of National Security (ONS) has not implemented all elements of this policy. Specifically, ONS is required to, among other things, develop and share risk assessment standards and training for operating divisions, such as NIH and CDC, to apply when reviewing grants and mission-critical acquisitions. However, limited resources and differing funding priorities among HHS operating divisions have delayed efforts. Without risk assessment standards and training, operating divisions and HHS leadership are less equipped to apply the policy to grants and acquisitions related to human genomic information.

HHS officials and five selected funding recipients GAO spoke with described mostly using domestic genetic testing entities for research and treatment of patients. NIH officials described ways the agency monitors researchers' use of foreign entities, such as reviewing and approving requests to add foreign components to grant awards. However, NIH does not systematically track the use of foreign entities, in part because it collects limited information about genetic services for research. For work conducted by NIH's internal researchers, agency officials attributed this to limitations in NIH's procurement system, such as its inability to distinguish between funding for genetic services and funding for other research and laboratory services. NIH also did not have a code in its database of awards to track whether awards to researchers at external entities involved genetic services. NIH officials described measures they could implement to overcome these limitations, such as collecting more granular data from funding recipients on purchases from foreign entities. While researchers may mostly use domestic entities for genetic services, having information on researchers' use of foreign entities may allow NIH to help inform HHS decisions on how to restrict access to Americans' bulk genomic and other sensitive personal data by countries of concern.

NIH and CDC maintain repositories of genomic data and require researchers generating or using these data to follow data management and security measures. For example, pursuant to NIH policy researchers should strip data of personal identifiers according to specified regulations. The agencies also restrict access to certain repositories and investigate data management or security violations. NIH provided GAO with information on various types of confirmed violations between July 2018 and May 2024 (see table). NIH identified these violations through its review of researcher progress updates, researcher self-reports, or whistleblowers.

Research conducted outside of the approved request

Security breach, such as compromised servers

Research outside of secondary use limitations, such as for-profit research

Data accessed by unapproved users

Data identifiers were not removed

Source: GAO analysis of genomic data management violations from the National Institutes of Health (NIH). | GAO-25-107377

However, NIH has not developed or implemented procedures to comprehensively monitor researchers' compliance with data management and security requirements. For example, NIH expects researchers who submit data to its repositories to certify that they meet certain data management and security requirements and restrict physical access to servers storing genomic data. In addition, NIH does not proactively audit the implementation of specific data security requirements, such as data encryption. Similarly, CDC officials stated that not all its centers that have repositories conduct oversight of whether funding recipients comply with data management or security measures for safeguarding health data, including genomic data, as stated in its policies. Therefore, NIH and CDC may be missing violations related to the data management and security of human genomic data that go unreported by researchers. Such violations could leave Americans' genomic data at risk of improper use by foreign regimes in countries of concern.

Why GAO Did This Study

Research and data on the human genome enable better ways to diagnose and treat diseases such as cancer. However, ODNI and others have warned of national security and other risks to Americans' genomic data. In February 2024, the President signed Executive Order 14117 to prevent access to Americans' bulk sensitive personal data, including personal health and human genomic data, and U.S. government-related data, by countries of concern. These countries, identified by the Department of Justice as directed by the Executive Order, are China, Russia, Iran, North Korea, Cuba, and Venezuela.

Congress included a provision in statute for GAO to review the risks and security measures to protect U.S. human genomic information. This report assesses (1) the risks and HHS's efforts to mitigate them, (2) HHS's and selected funding recipients' tracking of the use of genetic services from entities with ties to countries of concern, and (3) the data management and security policies and procedures that protect large-scale human genomic repositories.

GAO reviewed documents and interviewed officials from ODNI and from HHS operating divisions involved in national security and genomics research or testing. GAO interviewed five subject matter experts who were selected to provide a mix of perspectives, based on their published works. GAO also interviewed eight HHS funding recipients selected based on the amount of funding from HHS for human genomic-related research. The selected recipients include a mix of research institutions, universities, and hospitals.

Recommendations

GAO is making four recommendations, one to HHS ONS, two to NIH and one to CDC. Specifically:

• HHS ONS should develop and disseminate training and guidance on supply chain risk assessment standards that enable operating divisions to implement effective risk management for genomic data security while maintaining a focus on their core missions.
• NIH should begin systematically tracking the extent to which intramural and extramural researchers use genetic services provided by entities with ties to countries of concern.
• NIH should develop and implement procedures to proactively and comprehensively monitor researcher compliance with data management and security measures for human genomic data.
• CDC should develop and implement procedures, across all its centers that maintain restricted-access repositories with human genomic data, to proactively and comprehensively monitor researcher compliance with data management and security measures.

GAO Contacts

Media Inquiries

Public Inquiries

Topics

Recommendations

GAO is making four recommendations, one to HHS ONS, two to NIH and one to CDC. Specifically:

• HHS ONS should develop and disseminate training and guidance on supply chain risk assessment standards that enable operating divisions to implement effective risk management for genomic data security while maintaining a focus on their core missions.
• NIH should begin systematically tracking the extent to which intramural and extramural researchers use genetic services provided by entities with ties to countries of concern.
• NIH should develop and implement procedures to proactively and comprehensively monitor researcher compliance with data management and security measures for human genomic data.
• CDC should develop and implement procedures, across all its centers that maintain restricted-access repositories with human genomic data, to proactively and comprehensively monitor researcher compliance with data management and security measures.