Brett Dickerson reports:
Victims of past sexual assault who had their DNA collected in a rape kit by the Oklahoma City Police Department now face yet more uncertainty because of a data breach.
Rape kits are used to collect DNA evidence by law enforcement agencies for sexual assault investigations.
Saturday, those who had their DNA information stored by a contractor for OKCPD in connection to sexual assault investigations were informed by a U.S. Post Office letter of the breach.
The contractor is DNA Solutions, Inc., a DNA research company located in Oklahoma City.
Read more at Oklahoma City Free Press.
DNA Solutions is closed today, but DataBreaches.net sent an email inquiry with a number of questions about their business and the incident. No reply was immediately received, but this post will be updated if they respond when they re-open. From their website, however, it does not appear that they are a HIPAA-covered entity or business associate.
As the Free Press reporting indicates, the firm states that “Test samples and documentation for legal cases are stored up to 5 years after your test and then destroyed.” But who determines whether it can be destroyed earlier? If the Oklahoma City Police Department contracts with them for forensic cases, do they ever authorize them or request earlier destruction? And does the police department review and monitor their contractor’s data security?
DNA testing came up recently in another context: a rape victim whose DNA was collected and tested was subsequently charged with a property crime years later in an unrelated matter because law enforcement searched the victim DNA database for other purposes. As NPR reported:
San Francisco officials are criticizing the city’s police department over what officials say is a newly discovered practice inside the department of searching a database containing DNA collected from sexual assault victims to identify them as possible criminal suspects.
District Attorney Chesa Boudin said using rape kit DNA to search for suspects in separate investigations treats victims “like evidence, not human beings” and called for the practice to end.
In light of both of these breaches — one by external hackers and one by insiders misusing a database — is it time to consider or revisit the rights of crime victims whose DNA is collected and tested? Do victims know who is storing and securing their sample and their test results? Do they have any right to direct its removal? Should those storing samples or test results be held to more rigorous security and privacy standards?