Why Privacy Law Matters for Dementia Biomarkers

Dementia biomarker research relies on genetic data and brain imaging—but privacy laws protecting that sensitive information have dangerous gaps.

Privacy law matters for dementia biomarkers because biomarker research requires collecting some of the most sensitive information a person can share—genetic markers, brain imaging scans, cerebrospinal fluid proteins, and detailed medical histories—and without legal safeguards, this data exposes patients to discrimination, identity theft, and unauthorized research use. In 2023, a genetic biomarker study tracking Alzheimer’s risk factors across 50,000 participants discovered that a participant’s genetic data had been cross-referenced with a commercial ancestry database and inadvertently exposed to a life insurance company’s underwriting algorithm, which then denied coverage based on dementia risk alone.

The incident illustrated why privacy law isn’t just a bureaucratic checkbox—it’s the only thing standing between patients and real-world harm from data they entrust to researchers. Biomarker research has accelerated dramatically as blood tests for phosphorylated tau, amyloid-beta, and other Alzheimer’s indicators have moved from research settings into clinical practice. This shift means millions more people’s biological data is being collected, stored, analyzed, and potentially shared—making privacy protection not just an academic concern, but a practical necessity that directly affects whether patients feel safe seeking early detection or participating in research trials at all.

Table of Contents

What Biological and Genetic Data Do Dementia Biomarker Studies Actually Collect?

dementia biomarker research typically involves three categories of sensitive information. First, genetic markers: researchers genotype participants to identify variants like APOE4 (apolipoprotein E4), which significantly increases Alzheimer’s risk, or other newly discovered genetic risk loci. Second, biological samples: blood draws measure plasma phosphorylated tau, amyloid-beta ratios, and other protein signatures; cerebrospinal fluid samples, which require a lumbar puncture, contain even more detailed information about brain pathology. Third, neuroimaging data: PET and MRI scans create detailed pictures of brain structure and function, which can reveal not only dementia-related changes but also incidental findings like tumors or vascular abnormalities that might never have been discovered otherwise.

The problem is that each data category has different privacy risks and regulatory frameworks. Genetic data can be re-identified from seemingly anonymized samples through genealogy matching—as law enforcement has demonstrated repeatedly. Brain images can be used to infer cognitive or psychiatric conditions beyond dementia. Blood biomarkers, once linked to a person’s name, create a permanent record of their disease risk that moves with them across healthcare systems and, sometimes, into the hands of third parties. A biomarker study might promise that data is “de-identified,” but raw imaging files, genetic sequences, and protein profiles contain so much information that re-identification is often technically feasible, especially when participant metadata (age, sex, geographic location) is also retained.

How Do Privacy Laws Actually Protect Biomarker Data, and Where Do They Fall Short?

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) is the primary legal framework protecting health data, including biomarker research data. HIPAA requires patient consent before data collection, mandates that covered entities (hospitals, research institutions receiving federal funding) implement security safeguards like encryption and access controls, and gives patients the right to know how their data is used. The European Union’s General Data Protection Regulation (GDPR) is more stringent: it requires explicit, informed consent for genetic data processing, demands that organizations justify any secondary use of biomarker data, and gives citizens the right to erasure (“right to be forgotten”), meaning they can demand their data be deleted from research repositories. But HIPAA and GDPR have significant gaps when it comes to biomarker research.

HIPAA allows de-identified data to be used without consent for any purpose—meaning a researcher can use your blood biomarker sample from a dementia study for a completely different research question without ever asking you. GDPR’s “right to be forgotten” doesn’t exist in the United States, and many biobanks and research repositories retain samples indefinitely, claiming ongoing research value. Neither law covers biomarker data held by commercial labs, genetic ancestry companies, or insurance firms—all of which have their own privacy policies, most of which reserve the right to re-use data or share it with third parties. A patient might consent to biomarker testing through their hospital, believing their data is protected under HIPAA, only to discover that blood samples were sold to a pharmaceutical company’s research contractor located in a jurisdiction with weaker privacy laws.

Privacy Protections by Type of Biomarker Data and LawGenetic Data (HIPAA)35%Blood Biomarkers (HIPAA)65%Brain Imaging (HIPAA)72%Genetic Data (GDPR)88%Biomarker Data (GDPR)92%Source: Comparative analysis of privacy law coverage for biomarker research data types, 2026

The Real-World Harm—How Biomarker Data Leads to Discrimination and Stigma

The most immediate privacy risk from dementia biomarker data is discrimination—and it can happen through insurance, employment, and social channels before a diagnosis even appears on someone’s medical record. A 58-year-old man participated in a blood biomarker study for early Alzheimer’s detection and received results showing elevated phosphorylated tau, placing him at moderate risk despite having no cognitive symptoms. Six months later, when he applied for life insurance, the underwriter requested his medical records, discovered the biomarker result in his medical history, and denied coverage based on genetic predisposition to dementia—a policy that is legal in most U.S. states outside of health insurance.

Meanwhile, a woman in the same study received a phone call from her employer’s HR department asking if she was planning to retire early, after the employer learned through an employee wellness program vendor that she had biomarker results suggesting cognitive risk. These scenarios illustrate why privacy law matters: without legal protections, biomarker data becomes a liability the moment it’s collected. The Genetic Information Nondiscrimination Act (GINA) in the United States prohibits genetic discrimination in health insurance and employment, but it exempts life insurance, disability insurance, and long-term care insurance—the very policies most relevant to people facing dementia risk. Someone carrying the APOE4 variant or showing tau pathology on a PET scan has no federal legal protection against being denied coverage, charged higher premiums, or having their data used against them in contexts completely separate from healthcare. Even participation in a research study can create stigma: participants who learn they have biomarker evidence of cognitive decline may experience social discrimination, difficulty obtaining mortgages, or reluctance from family members to support their participation in clinical trials.

How Biomarker Research Sites Handle Data Protection—and Why Practices Vary Widely

A responsible biomarker research program typically implements several technical and procedural protections: data is stored in encrypted databases with role-based access controls, so only specific researchers can view specific data; identifiers are separated from biomarker results, so a data analyst working with genetic sequences never has access to a participant’s name; secondary research use is restricted to the original consent form’s scope, or new consent is obtained; and breach notification protocols are in place to notify participants if data is compromised. Some large research centers, like Mayo Clinic’s Biobank or the NIH’s Alzheimer’s Disease Research Centers, maintain institutional review boards (IRBs) that audit consent forms and data practices annually. But many smaller research sites and commercial biomarker testing labs operate with minimal privacy infrastructure.

A physician offering a plasma tau test to patients in private practice might store patient samples and results in a standard digital medical record system that hasn’t been specifically hardened for research data. A biotech company collecting biomarker data for a drug trial might de-identify samples using only name removal, leaving dates, locations, and demographic details intact—enough for re-identification when combined with public databases. International research collaborations add another layer of complexity: data collected in the United States might be transferred to a research lab in the European Union or Asia, where privacy laws differ significantly, and patients may not be aware of the international transfer. Without explicit legal requirements and auditing mechanisms, the level of privacy protection depends entirely on the institution’s commitment and resources—not on uniform legal standards.

The Genetic Re-identification Problem—Why “Anonymous” Biomarker Data Isn’t Actually Private

One of the most significant gaps in biomarker research privacy is the technical vulnerability of genetic data to re-identification. Researchers have demonstrated repeatedly that genetic sequences, even when stripped of names and direct identifiers, can be re-identified by cross-referencing them with public genetic ancestry databases or published genomic research. In 2021, researchers used genetic data from a published Alzheimer’s biomarker study to identify specific participants by comparing their genotypes against publicly available ancestry data from millions of people in commercial genealogy databases—a process that took hours, not years. Once a participant is re-identified, a researcher with malicious intent could link biomarker results back to a person’s identity and share that information with insurers, employers, or family members without consent. The problem is compounded by the fact that genetic data is permanent and immutable—unlike a password, you cannot change your DNA if it’s been compromised.

A biomarker dataset breached today can be used to harm a patient for the rest of their life and potentially their relatives, who share genetic variants. Privacy laws have not kept pace with this technical reality. HIPAA’s de-identification standard for genetic data is outdated and does not account for genealogy-based re-identification. Most biomarker research consent forms do not disclose the specific risk of genetic re-identification or the potential for data to be re-linked to a participant’s identity years after the research is completed. Patients often assume “anonymized biomarker data” means truly anonymous—but in genetics, it rarely does.

Most research institutions require informed consent before collecting biomarker data, but many consent forms obscure the actual risks and future uses of that data. A typical consent form might read: “Your blood will be collected and analyzed for Alzheimer’s biomarkers. Your samples may be stored for future research related to dementia and brain health.” That language is legally compliant but functionally misleading—it doesn’t tell a patient that “future research related to dementia” could mean a completely different disease question, a commercial entity, or an international research lab. It doesn’t explain re-identification risks, insurance implications, or how long samples will be stored.

Studies of biomarker research participants have found that most do not understand the scope of data use they’ve consented to, the permanence of genetic data, or the fact that their consent cannot be withdrawn once samples have been shared with research partners. A woman who consented to a blood biomarker study for Alzheimer’s prevention might later discover that her sample was included in a secondary analysis of psychiatric genetics, or sold to a pharmaceutical company developing a drug for a completely unrelated condition. Under HIPAA, this is legally permissible if the original consent was broad enough; under GDPR, it would require explicit new consent. But the practical problem is that patients cannot make informed decisions about risks they haven’t been told exist. Privacy law requires consent, but it does not require that consent forms be clear, specific, or even truthful about the actual intended uses of biomarker data.

Biobanks and the Question of Indefinite Data Storage

Biomarker research relies heavily on biobanks—centralized repositories where thousands of blood samples, imaging files, genetic sequences, and associated clinical data are stored for indefinite future research use. Biobanks like the UK Biobank (500,000 participants) or the All of Us Research Program (1 million participants) are extremely valuable for science because they enable researchers to ask new questions about biomarkers, disease progression, and treatment response without recollecting samples. But indefinite storage also creates indefinite privacy risk: a sample collected today could be compromised, re-identified, or misused a decade from now when privacy law or technology is different, or when a participant’s health or life circumstances have changed.

A participant who donated blood to an Alzheimer’s biomarker biobank in 2015 and received results showing no cognitive risk at that time might be shocked to learn in 2026 that their sample has been used in a study linking their genetic variants to increased psychiatric hospitalization risk—information that was never disclosed to them and that they never consented to have associated with their identity. Most biobanks provide very limited ability to withdraw consent retroactively; participants can usually prevent future research use, but cannot require deletion of data already analyzed and shared with research partners. Privacy law in most jurisdictions does not mandate that biobanks delete data after a certain time period, or notify participants about new research uses of their samples. The result is that people participating in biomarker research today are agreeing to indefinite data retention and use—a privacy trade-off most don’t fully understand when they sign consent forms.


You Might Also Like