Four people with a family history of cancer, or who have cancer themselves, lodged a complaint this afternoon with the U.S. Department of Health and Human Services (HHS). It alleges that Myriad Genetics, a prominent genetic testing company, broke a federal rule by withholding genomic data that are rightfully theirs. At least one plaintiff wants to share her information with an open-access research database, to which Myriad has declined to contribute.
In a twist, after the American Civil Liberties Union (ACLU) notified journalists of an upcoming press conference on the matter, Myriad reversed course and supplied the patients with the information they had requested in February. Despite that move, ACLU went ahead and helped the patients file the complaint, in part because it covers what the organization describes as a past violation.
A spokesperson for Myriad, based in Salt Lake City, says that the company is frustrated by the complaint and believes it should be dropped.
Genetic testing labs, including Myriad, normally provide clients with information on gene variants that are known to increase the risk of disease (pathogenic), likely to be pathogenic, or of uncertain significance. But nearly everyone also has variants (often called polymorphisms) that are deemed benign—and companies typically don’t send clients information about those variants. But as researchers pool data from thousands of cancer gene tests, some of those benign variants may be reclassified as dangerous, or may become informative in ways that hadn’t been anticipated. That is one reason some of the patients involved in the complaint wanted Myriad to provide all of their genetic data, and not just the information on the pathogenic variants.
In the complaint, ACLU and the plaintiffs, supported by researchers in cancer genetics, say that Myriad ran afoul of a new regulation promulgated by HHS this past January: that individuals have a right to receive “the full gene variant information generated by the test.” The regulation was prompted, federal officials say, by a federal law known as the Health Insurance Portability and Accountability Act (HIPAA), which among other things governs the use of medical records and the protection of patient privacy.
Myriad says it didn’t even know about the new regulation, which was quietly posted on an HHS blog. In February, the company was taken aback to receive seven identically worded letters from past clients, says Ron Rogers, a Myriad spokesperson. “It was obvious to us that there was some sort of coordinated effort against Myriad to get this information,” Rogers says. The company receives up to 40 requests a day for test results, and “99.9% of them,” Rogers says, are for the usual pathogenic or uncertain variants, the kind included in the company’s patient reports. In this case, the patients sought polymorphisms—essentially, the benign variants. The letters referenced the January regulation.
As a result of those letters, Myriad discovered the HHS regulation change, Rogers explained. Still, the company didn’t immediately return the information to the patients, but did provide the usual test results—which each of the patients had previously received. With representatives from the testing firm LabCorp and the American Clinical Laboratory Association, Myriad employees traveled to Washington, D.C., to meet with HHS officials to better understand their obligations under the new regulation. “We tried to get a meeting … as fast as we could” with the department’s Office for Civil Rights, Rogers says. The office “told us that the way they were interpreting the guidance, it should include the benign variants. We quickly got to work, we compiled that information, completed that request yesterday, and sent it to all these patients.”
The four patients represented by ACLU are not appeased. (The organization declined to say whether it had previously been working with the three others.) It’s “my body, my blood, my data, my choice how I wish to share my information,” said AnneMarie Ciccarella, one of the plaintiffs, during a press conference earlier today. Ten years ago, Ciccarella was diagnosed with invasive breast cancer at 49 and, with a strong family history of cancer, she followed her doctor’s advice and got BRCA1 and BRCA2 testing through Myriad. Mutations in both genes are linked to a higher risk of breast, ovarian, and other cancers. Ciccarella’s results, however, were equivocal; Myriad told her it found a “variant of unknown significance” on BRCA1 and another on BRCA2.
Ciccarella wants all her DNA information made widely available to researchers, and in particular wants to donate it to a database called ClinVar. ClinVar is collecting DNA findings on as many people as possible; a separate but related database called ClinGen is trying to understand what those findings mean. (More information on both databanks is here.)
Myriad has provoked the ire of some scientists because the company has declined to submit its voluminous BRCA1 and BRCA2 data to ClinVar, unlike a number of other testing companies. Rogers says that’s because it wants to protect patient privacy. A pair of scientists has launched an effort to seek Myriad testing results from patients and providers as a substitute. One of them, Heidi Rehm, one of the leaders of ClinGen and an associate professor of pathology at Harvard Medical School in Boston, wrote a letter supporting ACLU’s complaint.
Siding with her were Thomas Hudson and Peter Goodhand, two leaders of the Global Alliance for Genomics and Health, a collaborative trying to improve the sharing of genomic data. It’s running a major effort to aggregate data on BRCA genes, called the BRCA Challenge. Hudson and Goodhand called on the HHS Office for Civil Rights to explicitly say that the regulation “includes variant calls”—decisions about whether a variant is benign, for example—“and raw sequencing files, giving patients the right under HIPAA to routinely access them and thus contribute to research and improved health.”
“I think it’s much ado about nothing,” Myriad’s Rogers says of the complaint. He says that Myriad has previously provided polymorphism data to the rare patient who asks, and will certainly do so now if required under HIPAA.
ACLU wants more assurance than that. “We need to know that it’s a change in their position,” says ACLU senior staff attorney Sandra Park. She says she knows of another person who submitted a request for polymorphism data before the January regulation change, she says, and who was denied by the company. “From February they took the clear position that this data was excluded from what is covered under HIPAA.”
Is there a broader goal to pressure Myriad into depositing its data into public databases like ClinVar? Park is oblique. “The best solution on that question is that Myriad just shares it,” she says, “and discloses this data to patients that request it.”