A San Francisco-based company that sells DNA test kits and personalized diet and exercise plans based on genetic testing has been fined $75,000 by the Federal Trade Commission (FTC) and ordered to make improvements to its data privacy and security practices. The company is alleged to have left sensitive genetic and health data unsecured and deceived customers about its data-sharing practices.
1HEalth.io, which previously operated under the names Vitagene Inc. and Vitagene, is alleged to have violated the Federal Trade Commission Act by deceiving consumers about its data sharing, data deletion, and DNA sample destruction practices. According to the FTC’s complaint, consumers were informed on the Vitagene website that the company had “rock solid security,” and that the company “collects, processes, and stores your personal information in a responsible, transparent, and secure environment.” Between 2017 and 2020, Vitagene informed consumers that their sensitive health and personal information would only be shared in limited circumstances, such as with their doctor or the lab that was performing the testing. Vitagene also told consumers that DNA results were not stored with names or other identifying information, that DNA samples would be destroyed after analysis, and that consumers could have their personal data deleted at any time.
According to the FTC, the company made retroactive changes to its privacy policy in 2020, updating its policy to state that the company would share personal information with third parties such as supermarket chains; however, consumers were not notified about the change. Any consumer that had already provided personal information to the company would not be aware that their personal data would now be shared with third parties unless they voluntarily rechecked the company’s privacy policy. While the company claimed that DNA samples would be destroyed. From 2016, the company did not have a policy in place to require the labs that analyzed DNA samples to destroy those samples after analysis and since the company did not maintain a data inventory from 2016 through July 1, 2019, it was unable to search its cloud storage repositories in response to consumers’ data deletion requests.
The FTC also determined that its security practices put consumer data at risk. Consumers’ health reports were stored in an Amazon S3 bucket which could be accessed over the Internet. Almost 2,400 health reports were stored in the bucket, and those reports included the raw genetic data of at least 227 consumers, and in some cases, those reports also included the consumer’s first name. The data was not encrypted, access controls were not in place, and logs of access were not maintained and monitored. The company was warned about the exposed data at least three times over the space of 2 years from 2017, yet took no action to secure the S3 buckets until it was informed about the data exposure by a security researcher in June 2019.
In addition to the financial penalty, 1HEalth.io has been prohibited from sharing consumer data with third parties without first obtaining affirmative express consent and must implement a comprehensive information security program that addresses all security deficiencies outlined in the FTC complaint. 1HEalth.io must also have an assessment of its information security program by a qualified, objective, independent third-party professional within 180 days, and every two years thereafter for the next 20 years.
While 1HEalth.io agreed to settle the case, it disagreed with many of the FTC’s conclusions. “The Vitagene application was created in early 2016. In 2016 a contract test engineer was hired to test the application remotely. The contract test engineer put some customer files on an open Amazon S3 bucket which was against the security policy of the company. These files were discovered by a white hacker in 2019 who reported them to Vitagene and Bloomberg news,” explained a spokesperson for 1HEalth.io in a statement provided to The HIPAA Journal. “There were 3754 total files on the S3 bucket that were publicly exposed and, after our internal investigation, we could identify less than 3000 customers from 2016 and 2017 that might have had their information exposed to the public. There was no record of any such exposure but since the files were not protected, they could have been accessed. We notified all customers and provided a year of identity protection for free to those customers. We have not had a single consumer complaint from this incident in the past 6 years.”
1HEalth.io also pointed out that the FTC spent 5 years investigating this case before imposing a $75,000 fine on a startup company with fewer than 20 employees, while data breaches at clinical laboratory networks such as LabCorp and Quest Diagnostics have not resulted in fines, even though those breaches were the result of security lapses that exposed the sensitive data of millions of individuals.
The post FTC Fines Genetic Testing Company for Data Privacy and Security Failures appeared first on HIPAA Journal.