People who had their personal information collected by a national genetic testing organization between 2004 and 2012 may have never known that their information was acquired by DNA Diagnostics Center (DDC) in Ohio in 2012. They may find out now, though, as DDC fell prey to a cyberattack in May and data was exfiltrated over a period of months.
In a press release issued yesterday, DDC explains that on August 6, they detected unauthorized access to their network. The investigation determined that the unauthorized access and data exfiltration was confined to a database DDC had acquired in 2012 when it purchased a national genetic testing service, but it had never used the database in its operations. Some of those who had data in the database had relationship testing as a part of court proceedings or independent, individual testing. [Although DDC’s statements do not name the genetic testing service they acquired, from the timing, it may be Orchid Cellmark, a testing service that provided paternity testing for forensic and government purposes.]
The access and exfiltration occurred between May 24 and July 28 of this year.
The impacted database was associated with a national genetic testing organization that DDC has never used in its operations and has not been active since 2012. DDC acquired certain assets from this national genetic testing organization in 2012 that included certain personal information, and therefore, impacts from this incident are not associated with DDC. However, impacted individuals may have had their information, such as Social Security numbers or payment information, impacted as a result.
From their press release and statement, it appears that DDC is trying to negotiate payment to get the data recovered:
DDC has taken steps, in coordination with its third-party cybersecurity experts, to regain possession of this personal information and ensure its safekeeping and is not aware of any reports of identity fraud or improper use of the information.
Don’t they know that criminals lie and that paying to have data destroyed is often just money thrown out as a copy of the data will almost certainly be retained by threat actors and may be sold again, misused, or otherwise shared?
According to the report to Maine by the firm’s external counsel, McDonald Hopkins PLC, the breach impacted 2,102,436 individuals.
Update: This post was corrected post-publication to replace “ransomware attack” with “cyberattack” because DataBreaches.net learned that this was not a ransomware incident.