Connecticut Attorney General backs new DNA privacy bill

Connecticut Attorney General William Tong submitted testimony on February 18, 2026, urging lawmakers to support H.B. 5128, a bill aimed at tightening protections for DNA collected through direct-to-consumer genetic testing services.

What happened

The proposal responds to a major gap in current Connecticut law that leaves residents’ most sensitive personal data vulnerable. The testimony points to the fallout from the 23andMe breach, which compromised genetic information and ancestry-related data. According to the Attorney General’s Office, some of that data was allegedly used to sort and market lists of users based on ethnic and ancestral background, while other leaked material reportedly included names, locations, and even claims of raw genetic data.

The Attorney General noted that the state’s multistate investigation found that Connecticut law does not clearly require notice or consent when a company transfers or sells genetic data. Even events like bankruptcy does not adequately stop companies from using DNA for new purposes that were not disclosed at collection.

The main changes to genetic data privacy handling

The proposed bill, An Act Concerning Direct to Consumer Genetic Testing, offers the following changes to genetic testing in the state:

• Connecticut residents would have exclusive control over their biological material, DNA, and the results of any analysis of that DNA.
• Companies would need a person’s clear, express consent before using DNA or genetic data for any purpose that was not disclosed and agreed to when the data was first collected.
• A company could not sell or transfer a resident’s DNA or genetic data to another entity without first getting express consent.
• Companies that collect DNA would have to implement reasonable security measures to protect biological samples and genetic data from unauthorized access or disclosure.
• The bill would prohibit companies from using a person’s genetic data for marketing or targeted advertising purposes.
• The bill would protect residents from use of their DNA by insurance companies and would treat violations as violations of the Connecticut Unfair Trade Practices Act, giving the state a clear enforcement path.

What was said

In his testimony, the Attorney General states, “House Bill No. 5128 is the product of an extensive review of genetic privacy laws in other states. We believe that we have consolidated the best of these laws into the provisions in the bill before you, which will provide strong legal protections for the DNA of Connecticut residents. The bill grants Connecticut residents exclusive control over their biological material, their DNA, and the results of any analysis of their DNA. Under the bill, companies that collect the DNA of Connecticut residents must obtain their express consent for any use of their data that was not previously communicated and consented to at time of collection, and they also must obtain express consent prior to any sale or transfer of their DNA.”

Why it matters

Hospitals and other healthcare providers encounter genetic data in more settings than specialist genetics clinics alone. It can arise during testing for inherited conditions, cancer risk, rare diseases, prenatal care, newborn follow-up, and medication planning. Genetic information may also come in through lab reports, specialist consultations, patient-submitted direct-to-consumer test results, and research programs linked to care. Once collected, it often becomes part of the medical record and can influence diagnosis, treatment, counseling, and long-term care decisions.

A Healthcare Informatics Research paper shows that “integrating genetic data into Electronic Health Records (EHRs) can facilitate the management of genetic information and care of patients in clinical practices,” which helps explain why providers increasingly encounter it outside traditional genetics departments. A more recent hospital-focused BMJ Open Quality review adds that “Hospitals play a critical role in the delivery of genomic medicine,” reflecting how genomic data is now part of broader organizational care delivery, governance, and clinical decision-making rather than a narrow niche service.

The 23andMe exposed data tied to roughly 5.6 million customers, and regulators later found that ancestry-linked information was among the compromised data. Other cases show the same pattern, like when DNA Diagnostics Center disclosed a 2021 breach involving unauthorized access to an archived database affecting more than 2.1 million people. On the other hand, federal regulators said Vitagene exposed consumers’ health reports, raw genetic data, and other personal information through misconfigured cloud storage.

The legislation gives healthcare organizations clearer rules for handling that risk. H.B. 5128 would require express consent for new uses, consent before any sale or transfer, and reasonable security protections that would influence internal processes and protocols.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

Does HIPAA protect genetic information?

Yes. HHS says genetic information is protected under the HIPAA Privacy Rule when it is individually identifiable and held by a HIPAA-covered entity.

Is every genetic test covered by HIPAA?

No. HIPAA applies to the holder of the data, not the test itself.

Can a hospital put genetic test results in my medical record?

Yes. If a provider uses the results for diagnosis, treatment, medication planning, or care coordination.