DNA Diagnostics Center Reaches $400K Settlement After Healthcare Data Breach

February 22, 2023 - DNA Diagnostics Center has reached a $400,000 settlement to resolve several violations over a 2021 healthcare data breach.

DNA Diagnostics Center is a major private DNA-testing organization providing diagnostic and genetic testing to address questions about health, fertility, and relationships. Starting on May 28, 2021, the DNA testing organization allegedly received several notifications of suspicious activity in its network over two months.

However, DNA Diagnostics Center only took action in August 2021 when indications of Cobalt Strike malware were identified by its data security provider. Cobalt Strike allows bad actors to deploy spear phishing campaigns, which involve the use of phony emails as a means to deliver malware.

After conducting a third-party investigation, it was discovered that the threat actor gained access to 28 databases and could potentially extract the data from the network due to multiple security lapses.

The data breach involved social security numbers of 12,663 Pennsylvania residents and 33,282 Ohioans who were subject to genetic testing between 2004 and 2012.

A subsequent investigation by the Attorney General offices in Pennsylvania and Ohio claimed that DNA Diagnostics Center violated Pennsylvania's Unfair Trade Practices and Consumer Protection Law by not implementing adequate security measures to safeguard consumers' sensitive information.

The investigation also alleged that Diagnostics Center’s insufficient cybersecurity practice ultimately led to the authorized access and theft of patient information.

“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Michaelle A Henry, Acting Attorney General of Pennsylvania, said in a press release. “That’s why my Office took action with the assistance of Attorney General Yost in Ohio. I am proud of the work our agents and attorneys do every day to protect Pennsylvanians’ most sensitive information.”

As part of the settlement agreement, the DNA testing company must enhance its network, improve its data security practices, and regularly conduct computer system assessments.

Specifically, DNA Diagnostics Center is required to:

1. Appoint a staff member to oversee and manage its information security program.
2. Perform security risk assessments of its networks that store personal information annually;
3. Keep an up-to-date inventory of all assets on the network and disable or remove any unnecessary assets for legitimate business purposes.
4. Develop and deploy reasonable security measures to secure and store personal information, which may comprise timely software updates and the implementation of rational access controls such as multi-factor authentication.

DNA Diagnostics Center denied any wrongdoing but agreed to pay $400,000 to resolve the allegations. Both the Attorney’s General Offices in Pennsylvania and Ohio will receive $200,000 as a part of the settlement. Following the full payment, the attorneys general will discharge DNA Diagnostics Center from all civil claims related to the breach