FTC accuses genetic testing company of exposing sensitive health data
The Federal Trade Commission on Friday accused the genetic health testing firm 1health.io of failing to protect sensitive genetic and health data, the latest in a series of FTC enforcement actions focused on health data privacy and the first involving genetic information.
The FTC alleges that the California-based 1health previously known as Vitagene, deceived customers about its privacy policy, retroactively changed that policy and misled customers about its process for deleting data. The company will pay $75,000 to the FTC for consumer refunds as part of a settlement with the agency.
“Companies that try to change the rules of the game by re-writing their privacy policy are on notice,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”
Vitagene’s DNA test kits provide reports that include personal information such as ancestry and level of risk for certain health problems, such as high triglycerides and obesity. According to its website, 1health provides testing to corporate and government clients.
According to the complaint, Vitagene stored nearly 2,400 records belonging to at least 227 consumers in publicly accessible data buckets on Amazon Web Services, exposing sensitive consumer and raw genetic data, some of which was tied to consumers’ names. Vitagene claimed that it did not store DNA results connected with identifying information.
According to the FTC, Vitagene was warned three times that the unencrypted health and user data was publicly accessible but only fixed the issue and notified customers in 2019 after a security researcher shared their findings with the media.
The FTC accused the company of deceiving customers by failing to follow through with its promises to customers that they could delete their data at any time. The company later began sharing customer information with third parties without notifying customers of the change.
As part of the proposed order, 1health will be prohibited from sharing health data with third parties without obtaining affirmative customer consent. It must also implement a new security program to address the security concerns in the complaint and notify the FTC about any incidents of unauthorized disclosures of consumer health data. 1health will be required to destroy all DNA samples retained for more than 180 days.
The proposed agreement will be made available for public comment for 30 days before the agency reaches a final settlement.
1health CEO Mehdi Maghsoodnia called the FTC investigation a “case of extraordinary government overreach.”
In a statement, Maghsoodnia said the company first learned in July 2019 that a “small number of customer files had been inadvertently stored in a publicly accessible location” but that the company has no evidence they were “improperly accessed.”
“In response, the FTC launched an investigation which has now dragged on for nearly four years,” Maghsoodnia said. “Ultimately, we disagree with many of the FTC’s conclusions. But we look forward to finally putting this matter behind us.”
Updated June 16, 2023: To include comment from 1health.
