As part of a proposed settlement with the FTC, 1Health will be required to strengthen protections for genetic information and instruct third-party contract laboratories to destroy all consumer DNA samples that have been retained for more than 180 days.
California-based 1Health.io Inc., also known as Vitagene, Inc. before changing its name in October 2020, has sold DNA health test kits and used DNA test results, along with information consumers supplied, to provide the consumers with reports about their health, wellness and ancestry. The health reports include personal information about a consumer’s health and genetics, such as their level of risk for developing health problems based on their genotype data.
In its first case focused on both the privacy and security of genetic information, the FTC said in a complaint that Vitagene deceived consumers about its privacy and security practices. On its website, the company prominently touted its privacy and security, claiming to offer “Rock-solid security” and promised users that it “collects, processes, and stores your personal information in a responsible, transparent and secure environment.” From 2017 to 2020, the company also said it would only share consumers’ sensitive health and other personal information in limited circumstances such as providing information to a customer’s doctor or with the lab doing genetic testing. Vitagene also claimed on its website that it did not store DNA results with a consumer’s name or other identifying information; that consumers could delete their personal information at any time and that such data would be removed from all of the company’s servers; and that it would destroy DNA saliva samples shortly after they have been analyzed.
In addition, Vitagene’s security failures put consumers’ sensitive data at risk, the FTC said. According to the FTC, Vitagene stored in publicly accessible “buckets” on Amazon Web Service’s (AWS) cloud storage service nearly 2,400 health reports about consumers and raw genetic data of at least 227 consumers sometimes accompanied by a first name — despite promising users its security practices would exceed industry-standard security practices. Vitagene did not encrypt that data, restrict access to it, log or monitor access to it or inventory it to help ensure its security, according to the complaint.
Over a two-year period, Vitagene was warned at least three times that the company was storing unencrypted health, genetic, and other personal information in publicly accessible data buckets, according to the complaint. After a security researcher contacted the company in June 2019, the company finally investigated the issue and notified its customers whose data it had exposed publicly.
As part of the proposed order, the company:
- Must ensure any company that purchases all or parts of 1Health’s business agrees by contract to adhere to provisions of the order.
- Must notify the FTC about incidents of unauthorized disclosure of consumers’ personal health data.
- Must implement a comprehensive information security program addressing the security failures outlined in the complaint.
The action follows on a biometric policy statement the FTC issued last month that warned against the misuse of biometric information that could harm consumers.