The U.S. Federal Trade Commission posted a press release titled: “FTC Says Genetic Testing Company 1Health Failed to Protect Privacy and Security of DNA Data and Unfairly Changed Its Privacy Policy”. From the press release:
The Federal Trade Commission charged that the genetic testing firm 1Health.io left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without without already notifying and obtaining consent from consumers whose data the company had the company had already collected.
As part of a proposed settlement with the FTC, 1Health will be required to strengthen protections for genetic information and instruct third-party contract laboratories to destroy all consumer DNA samples that have been retained for more than 180 days.
“Companies that try to change the rules by re-writing their privacy policy are on notice,” Said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”
California-based 1Health.io, Inc, also known as Vitagene, Inc. before changing its name in October 2020, has sold DNA health test kits and used DNA test results, along with information consumers supplied, to provide consumer with reports about their health, wellness, and ancestry as part of product packages that cost between $29 and $259. The health reports include personal information about a consumer’s health and genetics, such as their risk for developing health problems based on their genotype data…
…As part of the proposed order, 1Health.io, which Vitagene is now known as, must pay $75,000, which the FTC intends to use for consumer refunds. In addition to the DNA deletion requirement, under the proposed order the company:
- Will be prohibited from sharing health data with third parties – including information provided by consumers before and after its 2020 privacy policy change – without obtaining consumers’ affirmative express consent;
- Must ensure any company that purchases all or parts of 1Health’s business agrees by contract to adhere to provisions of the order;
- Must notify the FTC about incidents of unauthorized disclosure of consumers’ personal health data; and
- Must implement a comprehensive information security program addressing the security failures outlined in the complaint.
The Commission voted 3-0 to issue the proposed administrative complaint and to accept the consent agreement with the company…
The Federal Trade Commission wrote: …Vitagene, a San Francisco based DNA testing company, promised consumers that it exceeded industry-standard security practices for maintaining the privacy of people’s sensitive health and genetic information. But the FTC says the company didn’t keep that promise. In fact, the FTC says Vitagene use a well-known cloud service provider to store people’s confidential information but didn’t use built-in cloud security measures…
In my opinion, it sounds like Vitagene / 1Health.io lied to its customers about how secure their DNA information was. It seems fair that the FTC decided to crackdown on the company and make it pay a lot of money for its terrible choices.