A San Francisco-based company that sells DNA test kits and personalized diet and exercise plans based on genetic testing has been fined $75,000 by the Federal Trade Commission (FTC) and ordered to make improvements to its data privacy and security practices. The company is alleged to have left sensitive genetic and health data unsecured and deceived customers about its data-sharing practices.

1HEalth.io, which previously operated under the names Vitagene Inc. and Vitagene, is alleged to have violated the Federal Trade Commission Act by deceiving consumers about its data sharing, data deletion, and DNA sample destruction practices. According to the FTC’s complaint, consumers were informed on the Vitagene website that the company had “rock solid security,” and that the company “collects, processes, and stores your personal information in a responsible, transparent, and secure environment.” Between 2017 and 2020, Vitagene informed consumers that their sensitive health and personal information would only be shared in limited circumstances, such as with their doctor or the lab that was performing the testing. Vitagene also told consumers that DNA results were not stored with names or other identifying information, that DNA samples would be destroyed after analysis, and that consumers could have their personal data deleted at any time.

According to the FTC, the company made retroactive changes to its privacy policy in 2020, updating its policy to state that the company would share personal information with third parties such as supermarket chains; however, consumers were not notified about the change. Any consumer that had already provided personal information to the company would not be aware that their personal data would now be shared with third parties unless they voluntarily rechecked the company’s privacy policy. While the company claimed that DNA samples would be destroyed. From 2016, the company did not have a policy in place to require the labs that analyzed DNA samples to destroy those samples after analysis and since the company did not maintain a data inventory from 2016 through July 1, 2019, it was unable to search its cloud storage repositories in response to consumers’ data deletion requests.

The FTC also determined that its security practices put consumer data at risk. Consumers’ health reports were stored in an Amazon S3 bucket which could be accessed over the Internet. Almost 2,400 health reports were stored in the bucket, and those reports included the raw genetic data of at least 227 consumers, and in some cases, those reports also included the consumer’s first name. The data was not encrypted, access controls were not in place, and logs of access were not maintained and monitored. The company was warned about the exposed data at least three times over the space of 2 years from 2017, yet took no action to secure the S3 buckets until it was informed about the data exposure by a security researcher in June 2019.

In addition to the financial penalty, 1HEalth.io has been prohibited from sharing consumer data with third parties without first obtaining affirmative express consent and must implement a comprehensive information security program that addresses all security deficiencies outlined in the FTC complaint. 1HEalth.io must also have an assessment of its information security program by a qualified, objective, independent third-party professional within 180 days, and every two years thereafter for the next 20 years.

While 1HEalth.io agreed to settle the case, it disagreed with many of the FTC’s conclusions.

The post FTC Fines Genetic Testing Company for Data Privacy and Security Failures appeared first on HIPAA Journal.