The Federal Trade Commission charged that the genetic testing firm 1Health.io left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.
As part of a proposed settlement with the FTC, 1Health will be required to strengthen protections for genetic information and instruct third-party contract laboratories to destroy all consumer DNA samples that have been retained for more than 180 days.
“Companies that try to change the rules of the game by re-writing their privacy policy are on notice,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”
California-based 1Health.io Inc., also known as Vitagene, Inc. before changing its name in October 2020, has sold DNA health test kits and used DNA test results, along with information consumers supplied, to provide the consumers with reports about their health, wellness, and ancestry as part of product packages that cost between $29 and $259. The health reports include personal information about a consumer’s health and genetics, such as their level of risk for developing health problems based on their genotype data.
In its first case focused on both the privacy and security of genetic information, the FTC said in a complaint that Vitagene deceived consumers about its privacy and security practices. On its website, the company prominently touted its privacy and security, claiming to offer “Rock-solid security” and promised users that it “collects, processes, and stores your personal information in a responsible, transparent and secure environment.” From 2017-2020, the company also said it would only share consumers’ sensitive health and other personal information in limited circumstances such as providing information to a customer’s doctor or with the lab doing genetic testing.
Vitagene also claimed on its website that it did not store DNA results with a consumer’s name or other identifying information; that consumers could delete their personal information at any time and that such data would be removed from all of the company’s servers; and that it would destroy DNA saliva samples shortly after they have been analyzed.
But the FTC said Vitagene failed to keep these promises. Beginning in 2016, the company did not implement a policy to ensure that the lab that analyzed the DNA samples had a policy in place to destroy them. And in 2020, the company changed its privacy policy by retroactively expanding the types of third parties that it may share consumers’ data with to include, for example, supermarket chains and nutrition and supplement manufacturers—without notifying consumers who had previously shared personal data with the company or obtaining their consent to share such sensitive information, according to the complaint.
In addition, Vitagene’s security failures put consumers’ sensitive data at risk, the FTC said. Vitagene stored in publicly accessible “buckets” on Amazon Web Service’s (AWS) cloud storage service nearly 2,400 health reports about consumers and raw genetic data of at least 227 consumers sometimes accompanied by a first name—despite promising users its security practices would exceed industry-standard security practices. Vitagene did not encrypt that data, restrict access to it, log or monitor access to it, or inventory it to help ensure its security, according to the complaint.
Over a two-year period, Vitagene was warned at least three times that the company was storing unencrypted health, genetic, and other personal information in publicly accessible data buckets, according to the complaint. After a security researcher contacted the company in June 2019, the company finally investigated the issue and notified its customers whose data it had exposed publicly.
As part of the proposed order, 1Health.io, which Vitagene is now known as, must pay $75,000, which the FTC intends to use for consumer refunds. In addition to the DNA deletion requirement, under the proposed order the company:
- Will be prohibited from sharing health data with third parties—including information provided by consumers before and after its 2020 privacy policy change—without obtaining consumers’ affirmative express consent;
- Must ensure any company that purchases all or parts of 1Health’s business agrees by contract to adhere to provisions of the order;
- Must notify the FTC about incidents of unauthorized disclosure of consumers’ personal health data; and
- Must implement a comprehensive information security program addressing the security failures outlined in the complaint.
The Commission voted 3-0 to issue the proposed administrative complaint and to accept the consent agreement with the company.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $50,120.
This action follows on a biometric policy statement the Commission issued last month that warned against the misuse of biometric information that could harm consumers.
The lead FTC attorneys on this matter are James Trilling and Elisa Jillson from the FTC’s Bureau of Consumer Protection.
Source: Federal Trade Commission