Private Information Leakage from Polygenic Risk Scores

This paper demonstrates that Polygenic Risk Scores (PRSs) can be exploited to reconstruct individual genotypes and de-anonymize users, thereby revealing significant privacy risks that necessitate new analytical frameworks and secure sharing solutions.

The Gist

Imagine your DNA is a massive, complex library of books. Each book represents a specific gene, and the pages inside tell the story of your health, your ancestry, and your risks for certain diseases.

For a long time, scientists thought that if you only shared a summary of this library—like a single sentence saying, "This person has a 20% chance of developing diabetes"—it would be safe. They believed this summary was too vague to reveal anything about the actual books on the shelves.

This paper says: That assumption is wrong.

The authors, Kirill Nikitin and Gamze Gürsoy, discovered that this "summary sentence" (called a Polygenic Risk Score or PRS) is actually a giant puzzle. If you have the right tools and enough of these summaries, you can solve the puzzle and reconstruct the actual books on the shelves. In other words, you can figure out a person's specific genetic code just from a single number.

Here is how they did it, explained through simple analogies:

1. The "Lock and Key" Puzzle (Reconstructing the Genes)

Think of a Polygenic Risk Score like a combination lock.

• The lock is the final number (the PRS) you see on a report.
• The dials inside the lock are your genes (which can be 0, 1, or 2 copies of a specific variant).
• The weights are the rules that tell you how much each dial contributes to the final number.

The researchers realized that if you know the rules (the weights) and the final number (the PRS), you can work backward to figure out exactly how the dials were set. They used a clever computer trick called Dynamic Programming (think of it as a super-smart detective who tries every possible combination quickly) to reverse-engineer the genetic code.

The Result: They found that with just a few dozen of these "locks" (PRS values for different diseases), they could correctly guess about 95% of a person's genetic code. It's like being able to guess someone's entire password just by seeing the final "Login Successful" message.

2. The "Family Reunion" (Re-identifying People)

Once the researchers could guess the genetic code, they could use it to find people.
Imagine you have a photo of a stranger, but you don't know their name. You go to a massive family reunion (a Genetic Genealogy Database like GEDMatch) and ask, "Does anyone here look like this person?"

Because the researchers could reconstruct enough of the person's DNA, they could match them to their relatives in these public databases with near-perfect accuracy.

• The Risk: Even if a person shared their PRS anonymously (like "User123"), the researchers could figure out who "User123" really is by finding their cousin or parent in a public family tree.

3. The "Fingerprint" (Linking to Medical Records)

There is a second way this is dangerous. Imagine a hospital has a giant database of patient records, but all the names are crossed out (anonymized).
If an insurance company or a bad actor knows a specific person's PRS (e.g., "John Doe has a score of 98.5 for Diabetes"), they can run that number against the anonymous database.

Because PRS values are so unique (like a fingerprint), they can find the exact row in the database that matches John Doe. Suddenly, the "anonymous" record is no longer anonymous. They can now see John's full medical history, including diseases he never told anyone about.

4. Who is Most at Risk?

The paper found that this isn't a fair fight.

• European Ancestry: The genetic "maps" scientists use to build these scores are mostly based on people of European descent.
• Non-European Ancestry: Because the maps are biased, the "locks" for people of African or East Asian descent are actually easier to break. The researchers found that the genetic code for these groups was even more predictable from the PRS numbers. It's like trying to solve a puzzle where the pieces are slightly different than the picture on the box; the mismatch makes the solution easier to guess.

The Solution: Blurring the Picture

So, how do we stop this? The authors suggest a simple fix: Rounding.

Imagine you are describing a painting.

• High Precision: "The sky is a shade of blue that is 45.382% red and 54.618% blue." (Too specific, reveals too much).
• Rounded: "The sky is a light blue." (Safe).

The researchers propose that when scientists publish PRS models, they should round the numbers (the weights) to fewer decimal places.

• Why it works: If you round the numbers, the "lock" becomes fuzzy. There are now millions of different genetic combinations that could result in the same rounded score. It becomes mathematically impossible to solve the puzzle.
• The Good News: Rounding the numbers barely changes how useful the score is for doctors. A doctor can still tell you if you are at high risk for a disease, but a hacker can no longer steal your identity.

The Bottom Line

This paper is a wake-up call. We thought sharing a "risk score" was like sharing a weather forecast. The authors show us that it's actually like sharing the blueprint of your house.

If we want to use these powerful genetic tools to save lives without exposing our private lives, we need to be smarter about how we share the data. We need to "blur the edges" of the numbers so that the science remains useful, but our privacy remains intact.

Technical Summary

1. Problem Statement

Polygenic Risk Scores (PRS) are widely used in clinical practice and direct-to-consumer (DTC) genetic testing to estimate an individual's susceptibility to complex diseases based on the cumulative effect of genetic variants. While PRS values are often treated as summary statistics and assumed to be non-identifiable, this paper challenges that assumption.

The core problem addressed is privacy leakage: Can a single PRS value (or a set of PRS values) be reverse-engineered to recover an individual's underlying genotypes? If successful, this could lead to:

• De-anonymization: Re-identifying individuals or their genetic relatives in genealogy databases.
• Sensitive Attribute Disclosure: Inferring health risks not originally associated with the shared PRS.
• Database Linkage: Connecting anonymized genotype-phenotype databases to known individuals.

2. Methodology

The authors frame the problem of recovering genotypes from a PRS value as a variation of the Subset-Sum Problem, which is known to be NP-hard. They developed a computational framework to solve this efficiently under specific conditions.

A. Mathematical Formulation

A PRS is defined as a linear combination of genotypes ($g_i \in \{0, 1, 2\}$) and effect weights ($\beta_i$):
$$\text{PRS} = \sum_{i=1}^{N} \beta_i \cdot g_i$$
The goal is to find the set of $g_i$ given the target PRS and the known $\beta_i$.

B. Core Algorithm: Dynamic Programming with Meet-in-the-Middle

To solve the subset-sum problem efficiently for PRS panels (up to ~50 variants), the authors employed:

1. Density Analysis: They adapted the concept of "density" from cryptography to determine solvability. Density ($d$) is the ratio of the number of SNPs to the bit-length (ternary representation) of the largest effect weight. Lower density implies easier solvability.
2. Meet-in-the-Middle Approach: The set of effect weights is split into two halves. Partial sums are generated for each half, and the algorithm searches for pairs of sums that equal the target PRS. This reduces time/space complexity from $O(3^N)$ to $O(3^{N/2})$.
3. Likelihood Estimation: Since multiple genotype combinations might mathematically sum to the same PRS, the algorithm uses population allele frequencies to calculate a log-likelihood score. The solution with the highest likelihood (closest to population averages) is selected.
4. Optimizations:
   • PRS Chaining: If multiple PRSs are available for one individual, genotypes recovered from a smaller PRS panel are fixed and used as constraints for larger panels, narrowing the solution space.
   • Self-Repair: If a larger PRS fails to yield a solution with previously inferred genotypes, the algorithm backtracks to correct earlier predictions.

C. Threat Models Analyzed

The study evaluates three distinct attack scenarios:

1. Genotype Recovery: Inferring genotypes from a PRS value assuming public access to model parameters (effect weights).
2. Genealogy-Based Re-identification: Using recovered genotypes to query public genealogy databases (e.g., GEDMatch) to find relatives or the target individual.
3. PRS-Based Linkage: Linking a known individual's PRS to an anonymized genotype-phenotype database (e.g., UK Biobank) by checking for unique PRS matches without needing full genotype recovery.

3. Key Results

A. Genotype Recovery Accuracy

• High Accuracy: Using a panel of up to 50 SNPs, the method achieved a median genotype prediction accuracy of 94.6%, significantly outperforming baseline predictors (major allele or stochastic sampling).
• Ancestry Bias: Accuracy was higher for African (AFR) and East Asian (EAS) populations compared to European (EUR) populations. This is counter-intuitive but explained by the fact that most PRS models are derived from European GWAS data. In non-European populations, the effect alleles often have frequencies closer to 0 or 1, making genotypes more predictable (homozygous) and thus easier to recover.
• Robustness: The method remains effective (92.7% accuracy) even if the attacker does not know the target's specific ancestry, using universal allele frequencies.

B. Re-identification via Genealogy

• Recovered genotypes (even with ~5% error and covering only ~50% of necessary SNPs) were sufficient for 100% precision and recall in identifying the individual as "self" in a database.
• The method achieved ~90% precision/recall for first-degree relatives and ~85% precision for second-degree relatives.
• This demonstrates that sharing a PRS can compromise the privacy of an individual's entire genetic family tree.

C. Uniqueness and Linkage

• Single PRS as an Identifier: The authors developed an analytical framework showing that a single PRS with as few as 27 SNPs is sufficient to uniquely identify 95% of individuals in a large cohort (e.g., UK Biobank with 450K participants).
• Anonymity Set Size: In many cases, the median number of people sharing the same PRS value is very small (e.g., 2 people for a 14-SNP PRS), making linkage attacks highly probable.

D. Mitigation Strategy: Rounding Effect Weights

• The study proposes rounding effect weights (reducing decimal precision) as a simple mitigation.
• Impact on Privacy: Rounding increases the "density" of the subset-sum problem, making genotype recovery computationally infeasible. It also increases the "anonymity set size" (more people share the same rounded PRS), preventing linkage.
• Impact on Utility: Crucially, rounding had negligible impact on the distribution and utility of the PRS for clinical prediction.

4. Key Contributions

1. First Demonstration of PRS Leakage: The paper provides the first experimental evidence that PRS values can be reverse-engineered to recover genotypes with high accuracy.
2. Algorithmic Framework: Development of an efficient dynamic programming algorithm enhanced with meet-in-the-middle and likelihood estimation to solve the genotype recovery problem for PRS panels up to 50 variants.
3. Quantification of Risk:
   • Analysis of 4,723 PRS models in the PGS Catalog, finding that 447 models are vulnerable to genotype recovery.
   • Demonstration that PRSs can re-identify individuals and relatives in genealogy databases.
   • Proof that PRSs act as strong quasi-identifiers in large databases.
4. Practical Mitigation: Proposing a "rounding" strategy that preserves clinical utility while drastically reducing privacy risks.

5. Significance and Implications

• Paradigm Shift: The findings challenge the current consensus that PRSs are safe to share as summary statistics. They are effectively "fuzzy" identifiers that can be de-anonymized.
• Policy and Ethics: Current informed consent models and data governance frameworks (like GINA) may not adequately protect against these secondary privacy risks (e.g., re-identification of relatives or inference of unshared traits).
• Clinical Practice: As PRS integration into healthcare grows, data holders must implement privacy-preserving measures. The authors recommend releasing two versions of PRS models: high-precision for research reproducibility and rounded for clinical/consumer use.
• Vulnerable Populations: The study highlights that individuals of non-European ancestry face higher privacy risks due to biases in existing GWAS data, necessitating more diverse and privacy-aware genomic research.

In conclusion, the paper establishes that PRSs are not merely risk estimates but potential vectors for severe privacy breaches, necessitating immediate updates to data sharing protocols and privacy standards in genomics.