FTC Proposes Settlement With Genetic Testing Company Over Unsecured Health Data

June 20, 2023 - The Federal Trade Commission (FTC) reached a proposed settlement with 1Health.io, a genetic testing company, over its alleged security and privacy failures. The order requires the company to pay $75,000 and prohibits it from sharing health data with third parties without consent.

California-based 1Health.io, previously known as Vitagene until 2020, sells DNA health test kits that it used to provide consumers with insights into their health, wellness, and ancestry. According to the FTC’s complaint, 1Health.io deceived consumers by changing its privacy policy retroactively without notifying consumers whose data had already been collected.

“Companies that try to change the rules of the game by re-writing their privacy policy are on notice,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”

In addition, the FTC alleged that 1Heatlh.io left sensitive data unsecured and deceived consumers about their ability to delete data. This marks the first case that the FTC has settled that focuses on both the security and privacy of genetic information.

The company’s website offered consumers “rock-solid security” and promised transparency and responsibility. 1Health.io, known as Vitagene at the time, also claimed that it did not store DNA results with identifying information and that consumers could delete their information at any time.

“But the FTC said Vitagene failed to keep these promises. Beginning in 2016, the company did not implement a policy to ensure that the lab that analyzed the DNA samples had a policy in place to destroy them,” the FTC stated.

“And in 2020, the company changed its privacy policy by retroactively expanding the types of third parties that it may share consumers’ data with to include, for example, supermarket chains and nutrition and supplement manufacturers—without notifying consumers who had previously shared personal data with the company or obtaining their consent to share such sensitive information, according to the complaint.”

The FTC’s investigation further revealed that Vitagene had stored nearly 2,400 health reports and raw genetic data on publicly accessible AWS buckets. In 2019, researchers notified the company for the third time that it was storing unencrypted health information publicly, leading the company to finally investigate the issue and notify consumers of a breach.

In addition to the $75,000, which the FTC intends to use for consumer refunds, the company must obtain affirmative express consent before sharing health data with third parties and must notify the FTC about incidents of unauthorized disclosure of health data.

As previously reported, the FTC has been paying close attention to the ways in which non-HIPAA-covered entities use and disclose health data. Recent enforcement actions against telehealth services and other health tech companies show that the FTC will continue to use its authority to protect health data.