Genetic Testing Company Slapped with FTC Fine Over Data Privacy and Security Breaches

Genetic Testing Company Slapped with FTC Fine Over Data Privacy and Security Breaches

June 21, 2023, formerly known as Vitagene, a genetic testing company, finds itself in hot water as it faces consequences from the Federal Trade Commission (FTC) due to alleged violations of consumer privacy. This California-based company provided genetic testing kits that aimed to offer individuals valuable insights into their health, wellness, and ancestry, all from a simple DNA sample.

The recent complaint filed by the FTC vs revealed that the data breach on, which was marketed as a secure user experience, failed to fulfill its promise of anonymizing DNA samples and appropriately storing sensitive information. Moreover, allegations state that the company went back on its word to delete consumer data and dispose of genetic specimens after testing.

genetic testing company fined

Allegations of Deception: FTC’s Complaint Against

The FTC complaint against focuses on several key allegations:

  • The company stored genetic and health data for consumers in a publicly accessible cloud repository without appropriate access controls, encryption, or monitoring.
  • Due to the lack of a data inventory, was unable to fulfill consumer requests to delete their data from its repositories.
  • The company failed to ensure the proper destruction of saliva samples after analysis. Notably, it did not enforce contractual requirements for the laboratory handling the sequencing to destroy the specimens.

Notably, made significant changes to its privacy policy, which only added to its woes. The revised policy expanded the scope of companies with which customer data could be shared, including supermarkets, nutrition, and supplement manufacturers.

These privacy violations and complaints about the unnotified sharing of personal information are not new territories for In fact, for over two years, the company received three separate warnings from the FTC regarding its deceptive privacy and security practices.

Genetic Testing Company Slapped with FTC Fine Over Data Privacy and Security Breaches Genetic Testing Company Fined: Financial Penalty and Prohibitions 

Under an FTC settlement proposal, would pay $75,000 in sanctions due to the exposed health reports. As part of the settlement, the genetic testing firm must adopt an information security program that reinforces protections for genetic information. Additionally, the company must instruct third-party contract laboratories to destroy any DNA samples retained for more than 180 days.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, cautioned that companies attempting to modify their privacy policies to alter the situation’s dynamics should be aware of the consequences. He stated that the FTC Act prohibits companies from unilaterally imposing substantial changes to previously gathered data in their privacy policies.

Compliance Requirements: Information Security Program and Third-Party Assessment must implement an Information Security Program and may undergo third-party assessments to meet FTC compliance standards and safeguard consumer data. This will also strengthen privacy measures and address concerns raised in its FTC complaint. These steps are vitally important in meeting compliance obligations and upholding consumer trust.

The Information Security Program consists of policies, procedures, and safeguards designed to protect genetic information collected by as well as sensitive data collected through other channels. This plan should be tailored specifically for the needs and risks of handling genetic information while adhering to industry best practices.

Key elements of an Information Security Program could include:

  • Risk evaluation: Conduct a detailed risk analysis regarding the collection, storage, and transmission of genetic and health data.
  • Data security safeguards: Employ appropriate technical, administrative, and physical safeguards to ensure data privacy, integrity, and availability.
  • Employee training and awareness: Conduct regular employee education programs on privacy and security best practices.
  • Incident response and breach notification: Establish clear protocols and response procedures to address security incidents, including investigating, containment, and mitigation efforts.

Genetic Testing Company Slapped with FTC Fine Over Data Privacy and Security Breaches may also undergo third-party evaluations as part of its Information Security Program, which impartial auditors or assessors will carry out. Through these third-party evaluations, compliance with legal obligations and industry standards is meant to be evaluated objectively.

The third-party evaluation procedure will involve the following:

  • Security audits: Perform thorough reviews of the organization’s systems, infrastructure, and operational procedures to spot any flaws that might expose customer data to danger.
  • Vulnerability scans and penetration testing: Execute routine scans and simulated assaults to find possible security holes and confirm the efficacy of current security measures.
  • Compliance evaluations: Evaluate the organization’s compliance with pertinent laws, norms, and best practices, such as the FTC’s rules and security frameworks particular to the industry.
  • Review of documentation: Check if the organization’s information security policy complies with applicable legal and industry standards.

Implementing an Information Security Program and conducting third-party assessments allows to demonstrate its dedication to safeguarding consumer data. They must also demonstrate adherence to privacy regulations, thereby building trust among clients and decreasing the risk of future data privacy and security violations.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
is telegram hipaa compliant
Is Telegram HIPAA Compliant?

Is Telegram HIPAA compliant? It's time to find out whether this secure messaging complies with HIPAA rules.

Read Story
hipaa regulations on transferring medical records
Understanding HIPAA Rules and Regulations for Transferring Medical Records

Knowing the intricacies of the Health Insurance Portability and Accountability Act or HIPAA rules on transferring medical records will help…

Read Story
healthcare security breaches
Recent Healthcare Security Breaches: Activate Healthcare, Community Research Foundation, and Henrietta Johnson Medical Center

There were recent reports of healthcare security breaches within the IT systems of three notable facilities.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.