The Federal Trade Commission is forcing California-based genetic testing company 1Health.io to pay nearly $50,000 in refunds to 2,432 customers. The company left customer data in an unsecured public cloud and did not take seriously third-party contractors destroying genetic material after it was used.
1Health.io is a company officially known as Vitagene. Renamed in 2020. Their pitch is that customers can better understand the information in their DNA about possible health conditions.
In 2023, the Federal Trade Commission issued a complaint against the company, alleging a series of privacy violations. It was a slam dunk case. Vitagene’s website claims it offers “rock-solid security” and promises to handle customers’ data and DNA responsibly. It pledged to share customers’ health data only in limited circumstances, never store their genetic samples with identifying information, and destroy DNA samples after analysis.
According to the FTC, Vitagene did not do this. A third-party company is responsible for analyzing the DNA samples, but 1Health.io has no rules to ensure that the company destroys the samples.
“In 2020, the company changed its privacy policy to retroactively expand the types of third parties with which it may share consumer data, such as supermarket chains and nutritional and supplement manufacturers, without notifying those with whom personal data had previously been shared. Consumers “cooperate with companies or obtain their consent to share such sensitive information,” the FTC said in 2023, according to the complaint. “
To make matters worse, more than 2,000 customers’ personal data was stored in easily accessible AWS buckets. The data includes health reports, raw genetic data and sometimes the customer’s name. “Vitagene did not encrypt this data, restrict access to it, log or monitor access to it, or inventory it to help ensure its security,” the FTC said.
In addition to the refund, Vitagene also paid a $75,000 fine and must let the FTC take a closer look at its business. Health data must not be shared with third parties without the customer’s explicit approval, those third parties must be ensured that they adhere to their contracts, and the Federal Trade Commission must be notified if a data breach occurs.
Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in 2023: “Companies that try to change the rules of the game by rewriting privacy policies should pay attention.” The FTC bill prohibits companies from unilaterally applying data collected before major privacy policy changes.
