GAO Report Highlights Gaps in HHS Oversight of Human Genomic Data Security

The U.S. Government Accountability Office (GAO) released its April 2025 report titled "Human Genomic Data: HHS Could Better Track Use of Foreign Testing Entities and Strengthen Oversight of Security Measures", warning that the Department of Health and Human Services (HHS) has not fully implemented policies necessary to protect Americans’ genomic information from foreign threats. The report outlines how advances in genomic research, while revolutionizing healthcare, also pose privacy and national security risks—especially from adversarial countries like China, Russia, Iran, North Korea, Cuba, and Venezuela.

GAO found that although HHS agencies such as NIH, CDC, and CMS play critical roles in supporting and conducting genomic research, there are significant gaps in the tracking and regulation of foreign testing entities. Despite guidance from the Office of the Director of National Intelligence (ODNI) and the FBI about the strategic interest countries like China have in acquiring Americans’ genomic data, HHS has not consistently enforced its own policies to mitigate such threats. In particular, the Office of National Security (ONS) within HHS has not developed or disseminated the necessary supply chain risk assessment standards or training required under the agency’s own 2022 and 2024 policies.

NIH and CDC reportedly rely mostly on domestic genetic testing services for their work, but neither systematically tracks the extent to which foreign testing entities are involved, especially those with ties to countries of concern. For example, NIH lacks internal codes to identify whether a funded research award involves genetic services from foreign entities, making it difficult to quantify the risk or assess compliance with national security directives. Although NIH has repositories for storing and sharing genomic data, the agency does not proactively audit compliance with its security requirements, including data encryption and access controls, meaning some security violations may go undetected unless self-reported.

GAO also emphasized the vulnerability of data held in NIH’s and CDC’s genomic repositories. While NIH has recently moved to reject new data access requests from entities in countries of concern, the agency continues to approve renewal requests for existing foreign users, raising further questions about the robustness of its risk mitigation strategy. Additionally, NIH and CDC do not yet conduct comprehensive, proactive monitoring to ensure that data management protocols are being followed across all research programs and funding recipients.

GAO issued four recommendations: HHS ONS should complete and distribute supply chain risk assessment standards and training materials; NIH should begin systematically tracking foreign use of genetic services and implement more robust oversight of data security compliance; and CDC should ensure that all centers with access-restricted genomic data repositories proactively monitor researcher adherence to security protocols.

This summary is based on GAO Report GAO-25-107377, authored by the U.S. Government Accountability Office. For the full report, visit https://www.gao.gov/products/GAO-25-107377.

Disclaimer: This blog post is for informational purposes only and does not guarantee accuracy or completeness. It does not constitute legal advice or create an attorney-client relationship.