FTC claims genetic testing company publicly exposed health data
“Companies that try to change the rules of the game by re-writing their privacy policy are on notice,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement Friday.
In its first case focused on the security and privacy of genetic information, the Federal Trade Commission has charged genetic testing company 1Heath.io with failing to secure its customers’ genetic data by storing health reports of more than 2,000 of its customers in the cloud without encryption or access controls.
The San Francisco-based firm, called Vitagene prior to a 2020 name change, sold “DNA Health Test Kits” that instructed customers to send in a saliva sample by mail and fill out an online questionnaire about their health, ancestry and lifestyle. It used the information to generate health and wellness reports identifying a customer’s risk of developing certain health conditions like high cholesterol or obesity based on their genetics, bundling the data along with vitamin subscriptions and nutritional coaching for a product package that could cost up to $259.
The crux of the FTC’s complaint is that despite assurances about its “rock solid security,” Vitagene for years stored consumer health and genetic data in unencrypted Amazon Web Services buckets that could be accessed by anyone. The company received at least three warnings between 2017 and 2019, from AWS, a security testing company and a cybersecurity researcher who emailed Vitagene about the problem, yet it failed to encrypt, monitor, or restrict access to the information, the FTC claims. One researcher notified the media about his findings in 2019, forcing the company to acknowledge its error and investigate. But since it had no access logs, it could not determine when the data had been accessed, or if any third parties other than the researcher had downloaded any customer information, the FTC’s complaint says.
The regulator further claims that in 2020, Vitagen retroactively changed its privacy policy around sharing sensitive personal information with third parties like supermarket chains, pharmacies and dietary supplement makers without telling its customers.
Vitagen also allegedly failed to ensure its customers’ saliva samples were destroyed after analysis by a third party lab, the FTC says.
“Companies that try to change the rules of the game by re-writing their privacy policy are on notice,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement Friday. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”
In an email, a 1Health.io spokesperson said a contract test engineer Vitagene hired back in 2016 to test its application remotely put some customer files in an open Amazon S3 bucket “which was against the security policy of the company.” The spokesperson added that of the 3,754 total files in the S3 bucket that were publicly exposed an internal investigation could identify “less than 3000 customers from 2016 and 2017 that might have had their information exposed to the public. There was no record of any such exposure but since the files were not protected, they could have been accessed.”
They said Vitagene notified all consumers of the exposure, and provided a free year of identity protection. “We have not had a single consumer complaint from this incident in the past 6 years,” the spokesperson said.
A proposed settlement requires 1Health.io to pay $75,000 to refund consumers. It will also be prohibited from sharing health information with other companies without customer consent, and beef up its security program and notify the FTC about any incidents where customer data is exposed.
Read more: The future of employer-sponsored health care: strategic responses and cost containment opportunities
In an email, 1Health.io CEO Mehdi Maghsoodnia defended the company, and said the FTC had overreached. “In July 2019, we were for the first alerted to the fact that a small number of customer files had been inadvertently stored in a publicly accessible location. There is no evidence these customer files were improperly accessed. In response, the FTC launched an investigation which has now dragged on for nearly four years. This is a case of extraordinary government overreach,” he said. “Ultimately, we disagree with many of the FTC’s conclusions. But we look forward to finally putting this matter behind us.”