DNA testing company failed to protect sensitive genetic and health data, says FTC

DNA testing has long been a hot-button issue for security and privacy. Concerns about everything from law enforcement and data retention to job offers and insurance have all been examined at great length. With millions of people signing up to use these services, it was only a matter of time before something went wrong.

Well, the inevitable legal clash is now here and comes courtesy of the Federal Trade Commission which has made a complaint in relation to an alleged failure to protect client privacy. From the FTC release:

The Federal Trade Commission charged that the genetic testing firm left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.

According to the FTC, close to 2,400 reports about consumers and “raw genetic data” of at least 227 people was at risk. This is because despite claims of rock solid security, sensitive data was being stored in publicly accessible Amazon Web Service buckets. According to the complaint, the data in the storage buckets was not encrypted, no monitoring was taking place with regard to who was accessing it, and there were no access restrictions in place either.

In fact, the company was warned “at least” three times across a two year period about the insecure buckets. When a security researcher contacted the company in 2019 regarding the buckets, the issue was finally investigated and the customers whose data was potentially exposed were notified.

Elsewhere, promises related to destroying retained DNA samples with a consumer’s name or other identifying information were not kept. 1Health—previously known as Vitagene—claimed on its website that DNA was not stored, and that consumers could delete their personal information at any time. When this request occurred, the company said, the data would be scrubbed from the company’s servers and all DNA saliva samples would be similarly destroyed once they had been analyzed.

However, from 2016 the company “did not implement a policy to ensure that the lab that analysed the DNA samples had a policy in place to destroy them”, alleges the FTC. In 2020, the company’s privacy policy was changed to retroactively expand the kinds of third parties that it could potentially share consumer’s data with.

Some examples given are supermarket chains and nutrition/supplement manufacturers. There was no need to notify consumers who had previously shared personal data with the company, nor was there a need to obtain their consent to share it, according to the complaint.

In terms of what happens next, the DNA firm must pay $75,000 which the FTC will use for consumer refunds. Additionally, under the proposed order, the company:

  • Will be prohibited from sharing health data with third parties—including information provided by consumers before and after its 2020 privacy policy change—without obtaining consumers’ affirmative express consent;
  • Must ensure any company that purchases all or parts of 1Health’s business agrees by contract to adhere to provisions of the order;
  • Must notify the FTC about incidents of unauthorised disclosure of consumers’ personal health data; and
  • Must implement a comprehensive information security program addressing the security failures outlined in the complaint.

All of this is in addition to the DNA deletion requirement.

The consent agreement package will be made live soon, at which point the public can comment for 30 days prior to the decision on whether the proposed consent order is made final.

This may be the case which makes people think twice about handing over valuable DNA data to organisations claiming to use top of the line security measures alongside consumer friendly privacy policies. If major alterations can be applied retroactively, you may be at risk. The FTC has this to say:

“Companies that try to change the rules of the game by re-writing their privacy policy are on notice. The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”

Depending on both your location and that of the company you had your data too, the FTC may not be able to do something about it should something go wrong at a later date.

We don’t just write about threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.