Agency Alleges 1Health Deceived Consumers About How It Handled Sensitive Data
A consumer genetic testing company must ensure the destruction of customer saliva samples and undergo third-party evaluation of its information security program for the next two decades under a proposed consent order with the U.S. Federal Trade Commission.
California firm 1Health.io, previously known as Vitagene, also committed to paying $75,000 in an enforcement action that marks the FTC’s first case focused on the privacy and security of genetic information.
The San Francisco company offers personalized diet and exercise plans fueled by genetic results. In a statement shared with Information Security Media Group, a company spokesperson complained about the agency investigation.
“The FTC with its many staff members has spent over five years investigating,” the spokesperson said. “After five years of investigation they are charging a startup company with less than 20 employees $75,000.”
In a separate statement, company CEO Mehdi Maghsoodnia accused the FTC of “government overreach” and said, “We disagree with many of the FTC’s conclusions.”
A security researcher in 2019 discovered unsecured DNA data of approximately 2,000 customers stored by Vitagene on the Amazon cloud and notified the media weeks after contacting the company. 1Health told ISMG it had kept 3,754 files on the publicly exposed S3 bucket.
The researcher’s notification was the third warning Vitagene received over the course of two years, the FTC said in an administrative complaint.
In 2017, Amazon Web Services sent Vitagene an email containing a list of buckets open to the internet, and in 2018, a security testing firm hired by Vitagene to conduct a penetration test of its web application also sounded an alarm.
Vitagene’s website claimed that it did not store DNA results with a consumer’s name or other identifying information, that individuals could delete their personal data at any time and the information would be removed from the company’s servers, and that it would destroy DNA saliva samples soon after they were analyzed, the FTC said.
The company failed to take those actions, deceiving consumers, the FTC charged.
Also, 1Health must implement a comprehensive information security program and notify the FTC about incidents involving unauthorized disclosure of consumers’ personal health data.
All three serving agency commissioners voted to accept the consent agreement. It is still subject to 30 days of public comment before commissioners must take another vote, typically only a formality.