The Federal Trade Commission fined the California-based genetic testing company 1Health.io and used the proceeds to pay out almost $50,000 in refunds to 2,432 customers. The company left customer data in an unsecured public cloud and wasn’t diligent about its third-party contractors destroying genetic material after they were done with it.
1Health.io is a company formally known as Vitagene. It changed its name in 2020. Vitagene sold DNA test kits and health reports. The pitch was that a customer could get a better idea of what their DNA said about possible health conditions.
In 2023 the FTC released a complaint against the company alleging a slew of privacy violations. It was a slam dunk case. Vitagene’s website claimed it offered “rock-solid security” and promised to handle a customer’s data and DNA in a responsible manner. It promised to only share customer’s health data in limited circumstances, never store their genetic samples alongside identifying information, and to destroy DNA samples after they were analyzed.
Vitagene didn’t do any of that, according to the FTC. A third-party company dealt with analyzing the DNA samples and 1Health.io had no provisions in place to make sure that company destroyed the samples.
“And in 2020, the company changed its privacy policy by retroactively expanding the types of third parties that it may share consumers’ data with to include, for example, supermarket chains and nutrition and supplement manufacturers—without notifying consumers who had previously shared personal data with the company or obtaining their consent to share such sensitive information, according to the complaint,” the FTC said in 2023.
Worse still, more than 2,000 customer’s personal data was stored in easily accessible AWS buckets. The data included health reports, raw genetic data, and was sometimes accompanied by the customer’s names. “Vitagene did not encrypt that data, restrict access to it, log or monitor access to it, or inventory it to help ensure its security, according to the complaint,” the FTC said.
Vitagene paid a $75,000 fine, which the FTC used to issue the refunds, and has to allow the FTC a closer overview of its business. It’s not allowed to share health data with third parties without the explicit approval of a customer, it must ensure those third parties adhere to a contract, and must tell the FTC if it ever suffers a data breach.
“Companies that try to change the rules of the game by rewriting their privacy policy are on notice,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in 2023. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”
Update 9/13/24: The original version of this story incorrectly stated that Vitagene was both fined and issued refunds. In reality, the FTC used the fine to refund customers. The story and headline have been updated to reflect that.
