June 21, 2023
1Health.io, formerly known as Vitagene, a genetic testing company, finds itself in hot water as it faces consequences from the Federal Trade Commission (FTC) due to alleged violations of consumer privacy. This California-based company provided genetic testing kits that aimed to offer individuals valuable insights into their health, wellness, and ancestry, all from a simple DNA sample.
The recent complaint filed by the FTC vs 1Health.io revealed that the data breach on 1Health.io, which was marketed as a secure user experience, failed to fulfill its promise of anonymizing DNA samples and appropriately storing sensitive information. Moreover, allegations state that the company went back on its word to delete consumer data and dispose of genetic specimens after testing.
Table of Contents
Allegations of Deception: FTC’s Complaint Against 1HEalth.io
The FTC complaint against 1Health.io focuses on several key allegations:
- The company stored genetic and health data for consumers in a publicly accessible cloud repository without appropriate access controls, encryption, or monitoring.
- Due to the lack of a data inventory, 1Health.io was unable to fulfill consumer requests to delete their data from its repositories.
- The company failed to ensure the proper destruction of saliva samples after analysis. Notably, it did not enforce contractual requirements for the laboratory handling the sequencing to destroy the specimens.
These privacy violations and complaints about the unnotified sharing of personal information are not new territories for 1Health.io. In fact, for over two years, the company received three separate warnings from the FTC regarding its deceptive privacy and security practices.
1HEalth.io Genetic Testing Company Fined: Financial Penalty and Prohibitions
Under an FTC settlement proposal, 1Health.io would pay $75,000 in sanctions due to the exposed health reports. As part of the settlement, the genetic testing firm must adopt an information security program that reinforces protections for genetic information. Additionally, the company must instruct third-party contract laboratories to destroy any DNA samples retained for more than 180 days.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, cautioned that companies attempting to modify their privacy policies to alter the situation’s dynamics should be aware of the consequences. He stated that the FTC Act prohibits companies from unilaterally imposing substantial changes to previously gathered data in their privacy policies.
Compliance Requirements: Information Security Program and Third-Party Assessment
1Health.io must implement an Information Security Program and may undergo third-party assessments to meet FTC compliance standards and safeguard consumer data. This will also strengthen privacy measures and address concerns raised in its FTC complaint. These steps are vitally important in meeting compliance obligations and upholding consumer trust.
The Information Security Program consists of policies, procedures, and safeguards designed to protect genetic information collected by 1Health.io as well as sensitive data collected through other channels. This plan should be tailored specifically for the needs and risks of handling genetic information while adhering to industry best practices.
Key elements of an Information Security Program could include:
- Risk evaluation: Conduct a detailed risk analysis regarding the collection, storage, and transmission of genetic and health data.
- Data security safeguards: Employ appropriate technical, administrative, and physical safeguards to ensure data privacy, integrity, and availability.
- Employee training and awareness: Conduct regular employee education programs on privacy and security best practices.
- Incident response and breach notification: Establish clear protocols and response procedures to address security incidents, including investigating, containment, and mitigation efforts.
1Health.io may also undergo third-party evaluations as part of its Information Security Program, which impartial auditors or assessors will carry out. Through these third-party evaluations, compliance with legal obligations and industry standards is meant to be evaluated objectively.
The third-party evaluation procedure will involve the following:
- Security audits: Perform thorough reviews of the organization’s systems, infrastructure, and operational procedures to spot any flaws that might expose customer data to danger.
- Vulnerability scans and penetration testing: Execute routine scans and simulated assaults to find possible security holes and confirm the efficacy of current security measures.
- Compliance evaluations: Evaluate the organization’s compliance with pertinent laws, norms, and best practices, such as the FTC’s rules and security frameworks particular to the industry.
- Review of documentation: Check if the organization’s information security policy complies with applicable legal and industry standards.
Implementing an Information Security Program and conducting third-party assessments allows 1Health.io to demonstrate its dedication to safeguarding consumer data. They must also demonstrate adherence to privacy regulations, thereby building trust among clients and decreasing the risk of future data privacy and security violations.