Governance & Risk Management , Privacy , Standards, Regulations & Compliance

FTC Orders to Improve DNA Data Privacy, Security

Agency Alleges 1Health Deceived Consumers About How It Handled Sensitive Data
FTC Orders to Improve DNA Data Privacy, Security
The U.S. Federal Trade Commission reached an agreement with over alleged privacy and security lapses. (Image: FTC)

A consumer genetic testing company must ensure the destruction of customer saliva samples and undergo third-party evaluation of its information security program for the next two decades under a proposed consent order with the U.S. Federal Trade Commission.

See Also: How Enterprise Browsers Enhance Security and Efficiency

California firm, previously known as Vitagene, also committed to paying $75,000 in an enforcement action that marks the FTC's first case focused on the privacy and security of genetic information.

The San Francisco company offers personalized diet and exercise plans fueled by genetic results. In a statement shared with Information Security Media Group, a company spokesperson complained about the agency investigation.

"The FTC with its many staff members has spent over five years investigating," the spokesperson said. "After five years of investigation they are charging a startup company with less than 20 employees $75,000."

In a separate statement, company CEO Mehdi Maghsoodnia accused the FTC of "government overreach" and said, "We disagree with many of the FTC's conclusions."

A security researcher in 2019 discovered unsecured DNA data of approximately 2,000 customers stored by Vitagene on the Amazon cloud and notified the media weeks after contacting the company. 1Health told ISMG it had kept 3,754 files on the publicly exposed S3 bucket.

The researcher's notification was the third warning Vitagene received over the course of two years, the FTC said in an administrative complaint.

In 2017, Amazon Web Services sent Vitagene an email containing a list of buckets open to the internet, and in 2018, a security testing firm hired by Vitagene to conduct a penetration test of its web application also sounded an alarm.

The agency also accused the company of making retroactive changes to its privacy policy. In 2020, it had revised the policy to state that it could share personal information with third parties, including supermarket chains and supplement makers. It didn't notify consumers who had already provided personal information to obtain their consent, the FTC said.

"Companies that try to change the rules of the game by rewriting their privacy policy are on notice,” said Samuel Levine, director of the FTC's Bureau of Consumer Protection. "The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data."

Vitagene's website claimed that it did not store DNA results with a consumer's name or other identifying information, that individuals could delete their personal data at any time and the information would be removed from the company's servers, and that it would destroy DNA saliva samples soon after they were analyzed, the FTC said.

The company failed to take those actions, deceiving consumers, the FTC charged.

Also, under the proposed consent order, 1Health must instruct third-party contract laboratories to destroy all consumer DNA samples that have been retained for more than 180 days. The company is also prohibited from sharing health data with third parties - including information provided by consumers before and after its 2020 privacy policy change - without obtaining consumers' affirmative express consent.

Also, 1Health must implement a comprehensive information security program and notify the FTC about incidents involving unauthorized disclosure of consumers' personal health data.

All three serving agency commissioners voted to accept the consent agreement. It is still subject to 30 days of public comment before commissioners must take another vote, typically only a formality.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.