Israel’s health ministry plans controversial genetic mega-database
Experts warn citizens’ medical and genetic data could be exposed without adequate privacy or security protections.
Did you think the biometric database was concerning? Wait until you learn about the medical and genetic database that the Ministry of Health is currently seeking to establish. This database would centralize the most sensitive personal information of Israeli citizens without sufficient protections for privacy, data security, or prevention of misuse.
A memorandum for a bill promoted by the Ministry of Health seeks to grant the Minister of Health, currently Haim Katz (Likud), the authority to create national health registries. These registries would include socio-demographic and medical data on Israeli citizens and require medical institutions to transfer extensive identifying and sensitive information.
While the goals of the initiative are worthy, its execution is deeply flawed. The memorandum does not specify that the transferred information must be encrypted to prevent links between the data and individual citizens, nor does it establish basic data security protections. Furthermore, the memorandum instructs the creation of what would effectively be a genetic database of Israeli citizens. Serum samples, leftover blood samples from medical tests, would be transferred to the Ministry of Health without safeguards to prevent identification of their owners.
"The goal of improving health policy is important and worthy, but the memorandum proposes to compel all health organizations to transfer sensitive, identifiable medical information to the Ministry of Health and to establish massive medical databases, including what could become the largest genetic database in Israel’s history," said Dr. Tehilla Shwartz Altshuler of the Israel Democracy Institute. "All this occurs without up-to-date disclosure mechanisms, without adequate security, and without oversight of the information’s use, ignoring recent reforms in privacy law and basic definitions in the field of privacy and data security. This memorandum reflects irresponsible and unprofessional regulation."
The memorandum was published for public comment on December 22, with the comment period ending on January 12. The Ministry of Health will now decide whether to advance the memorandum in its current form or revise it based on feedback. The stated purpose is legitimate: creating health registries to monitor diseases, medical conditions, and medical technologies to improve policy, track disease spread, adopt new technologies, and plan health services.
The problem lies in implementation. The law would allow the Minister of Health to order medical institutions to transfer identifiable medical and socio-demographic information to the registries. The data would be transferred unencrypted, including direct identifiers. Once transferred, the Ministry could verify and enrich it with other government databases, connecting sensitive medical information to records held by the Tax Authority, National Insurance, or Ministry of Transportation.
"The memorandum significantly violates the core right to privacy by requiring health organizations to transfer identifiable medical information," wrote Shwartz Altshuler and Dr. Rachel Aridor-Hershkovitz. "The law does not reflect a proportional relationship between its purpose, creating policy and streamlining the health sector, and the means chosen: the sweeping transfer of identifiable health information from citizens of Israel. Alternatives exist, such as aggregated data, pre-populated information, or encrypted extraction systems, which would be far less harmful."
After the data is enriched, identifiers such as name, address, phone number, and ID number would be deleted in a process called anonymization. However, privacy experts warn that simply removing direct identifiers is insufficient to prevent re-identification. Modern AI systems, and even manual analysis, can often identify individuals based on extensive socio-demographic data, even without names or ID numbers.
"Removing direct identifiers is no longer the global standard for transforming identifiable information into non-identifiable information," the opinion stresses. "The test is whether a person can be identified with reasonable effort, directly or indirectly. The 'direct identifiers' listed in the memorandum are only examples and do not cover all data that could reveal a person’s identity."
The opinion cites previous data breaches, including the 2006 leak of the Agron database containing demographic information on all residents of Israel and the 2020 leak of the voter register due to a security breach in the Elector app. "It is highly likely that specific individuals could be identified in the national health records, regardless of encryption."
The opinion warns that the consequences of exposing sensitive medical information could be severe. Individuals might avoid necessary medical tests if they fear insurance or employment repercussions. The potential economic and social damage from such a database could far outweigh the costs of creating a more privacy-respecting system using pre-aggregated reports.
Another concerning provision in the memorandum relates to a national serum bank. This would require medical labs to transfer leftover blood samples, accompanied by identifying and other data, to a central repository to assess population immunity.
"A national serum bank effectively creates a genetic database of all citizens who have undergone blood tests," warn Shwartz Altshuler and Aridor-Hershkovitz. "These samples would be linked to socio-demographic data and possibly enriched with government records. Removing direct identifiers does not anonymize the genetic information."
The opinion concludes that the disclosure of genetic information is an extreme violation of privacy. Unlike the Genetic Information Law or the Biometric Database Law, the memorandum lacks mechanisms for data minimization, security, usage limitation, or oversight. It could establish, through the back door, the largest genetic database in Israeli history.
Finally, the memorandum provides no guidance on cybersecurity, supervision, or enforcement. Hospitals are frequent targets of cyberattacks, and the memorandum does not include penalties or oversight mechanisms comparable to those in the Biometric Database Law, which regulates authorized access, secondary legislation, and data transfer controls.
