As part of a proposed settlement with the FTC, 1Health will be required to strengthen protections for genetic information and instruct third-party contract laboratories to destroy all consumer DNA samples that have been retained for more than 180 days.
California-based 1Health.io Inc., also known as Vitagene, Inc. before changing its name in October 2020, has sold DNA health test kits and used DNA test results, along with information consumers supplied, to provide the consumers with reports about their health, wellness, and ancestry as part of product packages that cost between $29 and $259. The health reports include personal information about a consumer’s health and genetics, such as their level of risk for developing health problems based on their genotype data.
In its first case focused on both the privacy and security of genetic information, the FTC said in a complaint that Vitagene deceived consumers about its privacy and security practices. On its website, the company prominently touted its privacy and security, claiming to offer “Rock-solid security” and promised users that it “collects, processes, and stores your personal information in a responsible, transparent and secure environment.” From 2017-2020, the company also said it would only share consumers’ sensitive health and other personal information in limited circumstances such as providing information to a customer’s doctor or with the lab doing genetic testing.
Vitagene also claimed on its website that it did not store DNA results with a consumer’s name or other identifying information; that consumers could delete their personal information at any time and that such data would be removed from all of the company’s servers; and that it would destroy DNA saliva samples shortly after they have been analyzed.
In addition, Vitagene’s security failures put consumers’ sensitive data at risk, the FTC said. Vitagene stored in publicly accessible “buckets” on Amazon Web Service’s (AWS) cloud storage service nearly 2,400 health reports about consumers and raw genetic data of at least 227 consumers sometimes accompanied by a first name—despite promising users its security practices would exceed industry-standard security practices. Vitagene did not encrypt that data, restrict access to it, log or monitor access to it, or inventory it to help ensure its security, according to the complaint.
Over a two-year period, Vitagene was warned at least three times that the company was storing unencrypted health, genetic, and other personal information in publicly accessible data buckets, according to the complaint. After a security researcher contacted the company in June 2019, the company finally investigated the issue and notified its customers whose data it had exposed publicly.
As part of the proposed order, 1Health.io, which Vitagene is now known as, must pay $75,000, which the FTC intends to use for consumer refunds. In addition to the DNA deletion requirement, under the proposed order the company:
- Must ensure any company that purchases all or parts of 1Health’s business agrees by contract to adhere to provisions of the order;
- Must notify the FTC about incidents of unauthorized disclosure of consumers’ personal health data; and
- Must implement a comprehensive information security program addressing the security failures outlined in the complaint.
The Commission voted 3-0 to issue the proposed administrative complaint and to accept the consent agreement with the company.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $50,120.
This action follows on a biometric policy statement the Commission issued last month that warned against the misuse of biometric information that could harm consumers.
The lead FTC attorneys on this matter are James Trilling and Elisa Jillson from the FTC’s Bureau of Consumer Protection.