The 23andMe breach of confidential information based on genetic analysis appears to have been caused by users using identical login information across multiple platforms. Previous data breaches were able to obtain email and password combinations from other companies, which rendered the user accounts for 23andMe vulnerable to attack individually. Many businesses require password changes to avoid this kind of vulnerability, but it is not common practice among consumer-facing logins.

Companies are increasingly aware of the liabilities present by data security. User data broadly, and healthcare records specifically, have been the target of ransomware attacks or data breaches to varying degrees of success. Some have been released and resulted in large fines such as Premera Blue Cross being fined $6.85m in 2020.

HIPAA in the US and the GDPR in the EU set out stringent requirements for patient privacy. These help to attach real costs to privacy violations and incentivise companies to protect patients. The trouble is when patients themselves are not aware of the risks their poor security practices may be putting them at, as companies are largely protected from liability if the login information has been compromised through no fault of their own.

To protect their privacy, users should follow best practices by using a password manager and changing passwords periodically. It is also important to recognise and prioritise which accounts have the most risk associated in case of a breach, and to set up measures like two-factor authentication.