Some secrets are so secret that no one knows about them. Until recently that described the secrets locked within our DNA. But a key to consumer confidence in the burgeoning genetic testing marketplace is the extent to which people can depend on a company’s promise that “Your secret’s safe with us.” In its first case focused on the privacy and security of genetic information, the FTC alleges that San Francisco-based Vitagene, Inc. – now known as 1Health.io – failed to live up to its promises and unfairly changed material privacy terms without customers’ consent. The proposed settlement and other recent actions send a loud-and-clear message that the FTC is fully committed to the protection of consumers’ health information.
After consumers paid between $29 and $259, sent a saliva sample to Vitagene, and answered an online questionnaire about their health history, family history, and lifestyle, the company provided them with a personalized Health Report. The Report included the customer’s full name and an assessment of their risks for developing a host of health problems.
Using images of locks, keys, and secure clouds, the company’s website was replete with claims about the care with which it promised to handle consumers’ genetic information. Here are just a few of the company’s pledges.
- “We use industry standard security practices to store your DNA sample, your test results, and any other personal data you provide.”
- “Rock-solid Security. We use the latest technology and exceed industry-standard security practices to protect your privacy.”
- “Vitagene collects, processes, and stores your personal information in a responsible, transparent and secure environment that fosters our customers’ trust and confidence.”
- “You’re in control of your data. You can delete your data at any time. This will remove your information from all of our servers.”
- “Three of the ways we protect your privacy: 1. Your results and DNA sample are stored without your name or any other common identifying information. 2. Vitagene destroys your physical DNA saliva sample after it has been analyzed. 3. We don't share your information with any third party without your explicit consent.”
Nice privacy and security talk, but according to the FTC, Vitagene was more talk than action. You’ll want to read the complaint for details, but part of the story started in the cloud. As a component of its IT infrastructure, Vitagene used a well-known cloud service provider for storing confidential information, including consumers’ Health Reports and DNA data. Vitagene allegedly didn’t use built-in measures to secure the information and instead stored it in “buckets” that made it possible for anyone with internet access to see the detailed Reports of nearly 2,400 Vitagene customers. Also accessible: raw genetic data of at least 227 other customers, sometimes identified by first name. While Vitagene promised to “exceed industry-standard security practices,” the FTC says the company didn’t encrypt that data, didn’t restrict access to it, didn’t monitor access, and didn’t inventory it to help ensure its security. The complaint also charges that Vitagene didn’t take steps to ensure that a lab that analyzed many of the DNA samples had a policy in place to destroy them.
What’s more, the complaint alleges that over a two-year period, Vitagene received three separate warnings that it was storing customers’ health and genetic information in a way that made it publicly accessible. Warning #1: a July 2017 message from the cloud service provider that Vitagene had configured its data “to allow read access from anyone on the Internet.” The email included links to an account console and information about how to restrict access. The response from Vitagene: Crickets.
Warning #2 came from a security company that conducted a web app penetration test in November 2018 and “found that uploaded DNA data was being stored . . . without any access controls.” The complaint alleges that Vitagene again failed to rectify the situation.
Warning #3 was a June 2019 email from a security researcher sent to Vitagene’s support inbox. After the researcher contacted the media, the FTC says the company finally investigated its public exposure of customers’ health information. However, because Vitagene hadn’t monitored who had accessed or downloaded the data, it couldn’t determine who else might have seen the information.
To settle the case, 1health.io has agreed to implement a comprehensive information security program, including every-other-year third-party assessments. In addition, a senior executive must certify annually that the company is complying with the terms of the settlement. The proposed settlement also includes a $75,000 financial remedy. Once the settlement appears in the Federal Register, you’ll have 30 days to file a public comment.
What can other companies take from the FTC’s action?
Sensitive health information – including genetic data – requires intensive care. If your company collects or maintains consumer health information, you’ve raised the bar on the privacy and security standards you must implement. Take particular care to substantiate the promises you make about your data practices. (By the way, if you haven’t read the FTC’s May 2023 Policy Statement on Biometric Information, set aside time now.)
When it comes to security, keeping your data in the cloud doesn’t mean you can keep your head in the clouds. The FTC has long said that storing data in the cloud doesn’t give a company a free pass on security. It’s still your responsibility to take reasonable steps to secure your data – for example, by properly configuring cloud security settings and by inventorying and auditing your cloud storage. As the FTC’s Request for Information about cloud computing makes clear, sellers of cloud technology and the companies that use their services share the responsibility to secure consumers’ personal information.
Respond to credible warnings about potential security lapses. The complaint against Vitagene alleges multiple instances in which the company failed to heed alarms others – including the provider of its cloud storage – had sounded about the security of its cloud-based information. Do you have systems in place to make sure those alerts get to the right people and get the immediate attention they deserve?
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.