Genetic testing firm 1Health.io has been charged by the Federal Trade Commission (FTC) for leaving genetic and health data unsecured. The FTC also charged the firm for deceiving consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.

As part of a proposed settlement with the FTC, 1Health will be required to strengthen protections for genetic information and instruct third-party contract laboratories to destroy all consumer DNA samples that have been retained for more than 180 days.

California-based 1Health.io Inc., also known as Vitagene, Inc. before changing its name in October 2020, has sold DNA health test kits and used DNA test results, along with information consumers supplied, to provide the consumers with reports about their health, wellness and ancestry. The health reports include personal information about a consumer’s health and genetics, such as their level of risk for developing health problems based on their genotype data.

In its first case focused on both the privacy and security of genetic information, the FTC said in a complaint that Vitagene deceived consumers about its privacy and security practices. On its website, the company prominently touted its privacy and security, claiming to offer “Rock-solid security” and promised users that it “collects, processes, and stores your personal information in a responsible, transparent and secure environment.” From 2017 to 2020, the company also said it would only share consumers’ sensitive health and other personal information in limited circumstances such as providing information to a customer’s doctor or with the lab doing genetic testing. Vitagene also claimed on its website that it did not store DNA results with a consumer’s name or other identifying information; that consumers could delete their personal information at any time and that such data would be removed from all of the company’s servers; and that it would destroy DNA saliva samples shortly after they have been analyzed.

The FTC said Vitagene failed to keep these promises. Beginning in 2016, the company did not implement a policy to ensure that the lab that analyzed the DNA samples had a policy in place to destroy them. And in 2020, the company changed its privacy policy by retroactively expanding the types of third parties that it may share consumers’ data with to include, for example, supermarket chains and nutrition and supplement manufacturers — without notifying consumers who had previously shared personal data with the company or obtaining their consent to share such sensitive information, according to the complaint.

In addition, Vitagene’s security failures put consumers’ sensitive data at risk, the FTC said. According to the FTC, Vitagene stored in publicly accessible “buckets” on Amazon Web Service’s (AWS) cloud storage service nearly 2,400 health reports about consumers and raw genetic data of at least 227 consumers sometimes accompanied by a first name — despite promising users its security practices would exceed industry-standard security practices. Vitagene did not encrypt that data, restrict access to it, log or monitor access to it or inventory it to help ensure its security, according to the complaint.

Over a two-year period, Vitagene was warned at least three times that the company was storing unencrypted health, genetic, and other personal information in publicly accessible data buckets, according to the complaint. After a security researcher contacted the company in June 2019, the company finally investigated the issue and notified its customers whose data it had exposed publicly.

As part of the proposed order, the company:

• Will be prohibited from sharing health data with third parties — including information provided by consumers before and after its 2020 privacy policy change — without obtaining consumers’ affirmative express consent.
• Must ensure any company that purchases all or parts of 1Health’s business agrees by contract to adhere to provisions of the order.
• Must notify the FTC about incidents of unauthorized disclosure of consumers’ personal health data.
• Must implement a comprehensive information security program addressing the security failures outlined in the complaint.

The action follows on a biometric policy statement the FTC issued last month that warned against the misuse of biometric information that could harm consumers.