Genetic Testing Company Slapped with FTC Fine Over Data Privacy and Security Breaches

Genetic Testing Company Slapped with FTC Fine Over Data Privacy and Security Breaches

June 21, 2023

1Health.io, formerly known as Vitagene, a genetic testing company, finds itself in hot water as it faces consequences from the Federal Trade Commission (FTC) due to alleged violations of consumer privacy. This California-based company provided genetic testing kits that aimed to offer individuals valuable insights into their health, wellness, and ancestry, all from a simple DNA sample.

The recent complaint filed by the FTC vs 1Health.io revealed that the data breach on 1Health.io, which was marketed as a secure user experience, failed to fulfill its promise of anonymizing DNA samples and appropriately storing sensitive information. Moreover, allegations state that the company went back on its word to delete consumer data and dispose of genetic specimens after testing.

genetic testing company fined

Allegations of Deception: FTC’s Complaint Against 1HEalth.io

The FTC complaint against 1Health.io focuses on several key allegations:

  • The company stored genetic and health data for consumers in a publicly accessible cloud repository without appropriate access controls, encryption, or monitoring.
  • Due to the lack of a data inventory, 1Health.io was unable to fulfill consumer requests to delete their data from its repositories.
  • The company failed to ensure the proper destruction of saliva samples after analysis. Notably, it did not enforce contractual requirements for the laboratory handling the sequencing to destroy the specimens.

Notably, 1Health.io made significant changes to its privacy policy, which only added to its woes. The revised policy expanded the scope of companies with which customer data could be shared, including supermarkets, nutrition, and supplement manufacturers.

These privacy violations and complaints about the unnotified sharing of personal information are not new territories for 1Health.io. In fact, for over two years, the company received three separate warnings from the FTC regarding its deceptive privacy and security practices.

Genetic Testing Company Slapped with FTC Fine Over Data Privacy and Security Breaches

1HEalth.io Genetic Testing Company Fined: Financial Penalty and Prohibitions 

Under an FTC settlement proposal, 1Health.io would pay $75,000 in sanctions due to the exposed health reports. As part of the settlement, the genetic testing firm must adopt an information security program that reinforces protections for genetic information. Additionally, the company must instruct third-party contract laboratories to destroy any DNA samples retained for more than 180 days.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, cautioned that companies attempting to modify their privacy policies to alter the situation’s dynamics should be aware of the consequences. He stated that the FTC Act prohibits companies from unilaterally imposing substantial changes to previously gathered data in their privacy policies.

Compliance Requirements: Information Security Program and Third-Party Assessment

1Health.io must implement an Information Security Program and may undergo third-party assessments to meet FTC compliance standards and safeguard consumer data. This will also strengthen privacy measures and address concerns raised in its FTC complaint. These steps are vitally important in meeting compliance obligations and upholding consumer trust.

The Information Security Program consists of policies, procedures, and safeguards designed to protect genetic information collected by 1Health.io as well as sensitive data collected through other channels. This plan should be tailored specifically for the needs and risks of handling genetic information while adhering to industry best practices.

Key elements of an Information Security Program could include:

  • Risk evaluation: Conduct a detailed risk analysis regarding the collection, storage, and transmission of genetic and health data.
  • Data security safeguards: Employ appropriate technical, administrative, and physical safeguards to ensure data privacy, integrity, and availability.
  • Employee training and awareness: Conduct regular employee education programs on privacy and security best practices.
  • Incident response and breach notification: Establish clear protocols and response procedures to address security incidents, including investigating, containment, and mitigation efforts.

Genetic Testing Company Slapped with FTC Fine Over Data Privacy and Security Breaches

1Health.io may also undergo third-party evaluations as part of its Information Security Program, which impartial auditors or assessors will carry out. Through these third-party evaluations, compliance with legal obligations and industry standards is meant to be evaluated objectively.

The third-party evaluation procedure will involve the following:

  • Security audits: Perform thorough reviews of the organization’s systems, infrastructure, and operational procedures to spot any flaws that might expose customer data to danger.
  • Vulnerability scans and penetration testing: Execute routine scans and simulated assaults to find possible security holes and confirm the efficacy of current security measures.
  • Compliance evaluations: Evaluate the organization’s compliance with pertinent laws, norms, and best practices, such as the FTC’s rules and security frameworks particular to the industry.
  • Review of documentation: Check if the organization’s information security policy complies with applicable legal and industry standards.

Implementing an Information Security Program and conducting third-party assessments allows 1Health.io to demonstrate its dedication to safeguarding consumer data. They must also demonstrate adherence to privacy regulations, thereby building trust among clients and decreasing the risk of future data privacy and security violations.

More great articles
what happens if a nurse violates HIPAA regulations
What Happens if a Nurse Violates HIPAA?

Find out what happens if a nurse violates HIPAA and the potential consequences they may face.

Read Story
Confidentiality Matters: Understanding HIPAA Waiver Forms
Confidentiality Matters: Understanding HIPAA Waiver Forms

In this article, you will be taking a deep dive into the significance of HIPAA waiver forms and their role…

Read Story
vmware aria vulnerability
Cyber Attackers Exploit Vulnerabilities in VMware Aria Operations for Networks

VMware made an alarming announcement confirming an exploited vulnerability on VMware Aria Operations for Networks.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.
    Arrow-up