FTC Charges Genetic Testing Company 1Health.io with Privacy and Security Failures

Data PrivacyCybersecurityFTC
Written By Hosch & Morris

Privacy Plus+

Privacy, Technology and Perspective

This week, let’s look at a new case by the Federal Trade Commission (FTC or Commission) and consider how the Commission is setting its sights on sensitive genetic information.

Background: On June 16, 2023, the FTC filed a complaint against 1Health.io, a genetic testing company, accusing it of inadequate protection of sensitive DNA data, making deceptive privacy and security statements, and unfairly changing its privacy policy without consumers' consent.

1Health.io, formerly known as Vitagene, is a California-based company that offers DNA health test kits. It analyzes the results alongside consumer-provided information to deliver health, wellness, and ancestry reports as part of product packages ranging from $29 to $259. These reports contain highly personal details, such as a consumer's genotype data and the associated health risks.

The FTC complaint against 1Health.io marks the first case focused on the privacy and security of genetic information. It alleges several instances of misconduct by the company. The FTC claims that 1Health.io/Vitagene deceived consumers about its privacy and security practices by claiming to offer "rock-solid security" and a "responsible, transparent and secure environment" for personal data storage. Despite these claims, the FTC asserts that 1Health.io/Vitagene failed to deliver on its promises.

According to the FTC, the company's initial policy was to share consumers' sensitive health and personal information only under limited circumstances, such as with a customer's doctor or the lab conducting the genetic testing. However, in 2020, the company reportedly altered its privacy policy, expanding the scope of third parties with whom it might share consumer data—without prior notification or consent from existing consumers. These “new” third parties potentially included entities like supermarket chains and supplement manufacturers.

Further, the FTC charged 1Health.io/Vitagene with serious security failures that put consumers' sensitive data at risk. Despite claims of industry-standard security practices, the company allegedly stored nearly 2,400 health reports and raw genetic data of at least 227 consumers in publicly accessible "buckets" on Amazon Web Service's cloud storage. This data, sometimes accompanied by a first name, was neither encrypted nor monitored, and no inventory was maintained to ensure its security.

You can read the Complaint here:

https://www.ftc.gov/system/files/ftc_gov/pdf/complaint.pdf

The Proposed Consent Decree: The proposed order contains a $75,000 fine and mandates a number of prescriptive remediations that 1Health.io must take to address the deficiencies identified in the Complaint.  The proposed order will be subject to public comment for 30 days following its publication in the Federal Register, after which the Commission will decide whether to make it final. Each violation of such an order may result in a civil penalty.

The proposed order also requires 1Health.io to:

  • - Accurately represent its privacy and security practices;

  • - Obtain affirmative express consent for disclosure of health information to third parties;

  • - Destroy saliva samples by instructing labs under contract to collect to retain them no longer than 180 days after the company has accepted the results of the labs’ analysis, and then certify to the FTC, under penalty of perjury, that the company has given such instructions to its labs;

  • - Maintain a comprehensive information security program that includes, among other things:

    • + end-to-end encryption (or “equivalent protection”) of health information that is reasonably linkable to an individual consumer, computer, or device;

    • _ diligence of and contracts with service providers that implement and maintain safeguards sufficient to address the risks to security, confidentiality or integrity of personal information;

  • - Undergo regular third-party assessments; and

  • - Provide covered incident reports directly to the FTC.

You can read the proposed order here:

https://www.ftc.gov/system/files/ftc_gov/pdf/decision_and_order.pdf

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

Hosch & Morris https://hoschmorris.com
Previous

SolarWinds Executives May Face Personal Liability as SEC Issues Wells Notices
Next

Texas Data Privacy and Security Act