Privacy and security of genetic information: Putting DNA companies to the test

By Lesley Fair, Federal Trade Commission – reprint

Some secrets are so secret that no one knows about them. Until recently that described the secrets locked within our DNA. But a key to consumer confidence in the burgeoning genetic testing marketplace is the extent to which people can depend on a company’s promise that “Your secret’s safe with us.”

In its first case focused on the privacy and security of genetic information, the FTC alleges that San Francisco-based Vitagene, Inc. – now known as 1Health.io – failed to live up to its promises and unfairly changed material privacy terms without customers’ consent. The proposed settlement and other recent actions send a loud-and-clear message that the FTC is fully committed to the protection of consumers’ health information.

After consumers paid between $29 and $259, sent a saliva sample to Vitagene, and answered an online questionnaire about their health history, family history, and lifestyle, the company provided them with a personalized Health Report. The Report included the customer’s full name and an assessment of their risks for developing a host of health problems.

DNA Testing Company Security Claims

DNA Testing Company Security Claims

Using images of locks, keys, and secure clouds, the company’s website was replete with claims about the care with which it promised to handle consumers’ genetic information. Here are just a few of the company’s pledges.

  • “We use industry-standard security practices to store your DNA sample, your test results, and any other personal data you provide.”
  • Rocksolid Security. We use the latest technology and exceed industry-standard security practices to protect your privacy.”
  • “Vitagene collects, processes, and stores your personal information in a responsible, transparent and secure environment that fosters our customers’ trust and confidence.”
  • You’re in control of your data.  You can delete your data at any time. This will remove your information from all of our servers.”
  • “Three of the ways we protect your privacy:  1. Your results and DNA sample are stored without your name or any other common identifying information. 2. Vitagene destroys your physical DNA saliva sample after it has been analyzed. 3. We don’t share your information with any third party without your explicit consent.”

Nice privacy and security talk, but according to the FTC, Vitagene was more talk than action. You’ll want to read the complaint for details, but part of the story started in the cloud. As a component of its IT infrastructure, Vitagene used a well-known cloud service provider for storing confidential information, including consumers’ Health Reports and DNA data. Vitagene allegedly didn’t use built-in measures to secure the information and instead stored it in “buckets” that made it possible for anyone with internet access to see the detailed Reports of nearly 2,400 Vitagene customers. Also accessible: raw genetic data of at least 227 other customers, sometimes identified by first name. While Vitagene promised to “exceed industry-standard security practices,” the FTC says the company didn’t encrypt that data, didn’t restrict access to it, didn’t monitor access, and didn’t inventory it to help ensure its security. The complaint also charges that Vitagene didn’t take steps to ensure that a lab that analyzed many of the DNA samples had a policy in place to destroy them.

What’s more, the complaint alleges that over a two-year period, Vitagene received three separate warnings that it was storing customers’ health and genetic information in a way that made it publicly accessible. Warning #1: a July 2017 message from the cloud service provider that Vitagene had configured its data “to allow read access from anyone on the Internet.” The email included links to an account console and information about how to restrict access. The response from Vitagene: Crickets.

Warning #2 came from a security company that conducted a web app penetration test in November 2018 and “found that uploaded DNA data was being stored . . . without any access controls.” The complaint alleges that Vitagene again failed to rectify the situation.

Warning #3 was a June 2019 email from a security researcher sent to Vitagene’s support inbox. After the researcher contacted the media, the FTC says the company finally investigated its public exposure of customers’ health information. However, because Vitagene hadn’t monitored who had accessed or downloaded the data, it couldn’t determine who else might have seen the information.

Vitagene’s alleged missteps didn’t end there. In 2020, the company changed its privacy policy by retroactively expanding the types of third parties with which it may share consumers’ data to include grocery chains, dietary supplement manufacturers, and the like. And it did that without notifying customers who provided their data under the former, more restrictive privacy policy and getting their consent.

The complaint charges that the company’s promises that it exceeded industry security standards, stored DNA results without identifying information, deleted data at consumers’ request, and saw to it that physical DNA samples were destroyed were false or misleading. What’s more, the FTC alleges that the company’s after-the-fact privacy policy changes about sharing sensitive personal information with third parties was an unfair practice, in violation of the FTC Act. While Vitagene’s original privacy policy stated that a customer’s access or use of the company’s services after the company posted a revised privacy policy meant that the consumer had accepted the revised terms, that language didn’t excuse Vitagene from its obligation to give notice and get consumers’ consent before making material retroactive changes to its privacy practices. Furthermore, the complaint alleges that Vitagene’s conduct was unfair even though the company has not yet implemented the broader information-sharing practices set forth in its revised privacy policies.

To settle the case, 1health.io has agreed to implement a comprehensive information security program, including every-other-year third-party assessments. In addition, a senior executive must certify annually that the company is complying with the terms of the settlement. The proposed settlement also includes a $75,000 financial remedy. Once the settlement appears in the Federal Register, you’ll have 30 days to file a public comment.

What can other companies take from the FTC’s action?

Sensitive health information – including genetic data – requires intensive care.  If your company collects or maintains consumer health information, you’ve raised the bar on the privacy and security standards you must implement. Take particular care to substantiate the promises you make about your data practices. (By the way, if you haven’t read the FTC’s May 2023 Policy Statement on Biometric Information, set aside time now.)

Just because data is in your possession doesn’t mean it’s yours.  Collecting consumers’ data doesn’t mean you’re free to do with it as you please. Consumers have a right to know in advance how you intend to use their information and you have the legal obligation to live up to your representations. That means if you want to change your practices down the road, a bait-and-switch modification to your privacy policy won’t suffice. You’ll need consumers’ affirmative express consent for any new uses of their data.

When it comes to security, keeping your data in the cloud doesn’t mean you can keep your head in the clouds.  The FTC has long said that storing data in the cloud doesn’t give a company a free pass on security. It’s still your responsibility to take reasonable steps to secure your data – for example, by properly configuring cloud security settings and by inventorying and auditing your cloud storage. As the FTC’s Request for Information about cloud computing makes clear, sellers of cloud technology and the companies that use their services share the responsibility to secure consumers’ personal information.

Respond to credible warnings about potential security lapses. The complaint against Vitagene alleges multiple instances in which the company failed to heed alarms others – including the provider of its cloud storage – had sounded about the security of its cloud-based information. Do you have systems in place to make sure those alerts get to the right people and get the immediate attention they deserve?

PLEASE NOTE: Psychology Clarification

The following specific modalities within the practice of psychology are restricted to psychologists appropriately trained in the use of such modalities:

  • Diagnosis: The diagnosis of mental, emotional, or brain disorders and related behaviors.
  • Psychoanalysis: Psychoanalysis is a type of therapy that focuses on helping individuals to understand and resolve unconscious conflicts.
  • Hypnosis: Hypnosis is a state of trance in which individuals are more susceptible to suggestion. It can be used to treat a variety of conditions, including anxiety, depression, and pain.
  • Biofeedback: Biofeedback is a type of therapy that teaches individuals to control their bodily functions, such as heart rate and blood pressure. It can be used to treat a variety of conditions, including stress, anxiety, and pain.
  • Behavioral analysis: Behavioral analysis is a type of therapy that focuses on changing individuals’ behaviors. It is often used to treat conditions such as autism and ADHD.
    Neuropsychology: Neuropsychology is a type of psychology that focuses on the relationship between the brain and behavior. It is often used to assess and treat cognitive impairments caused by brain injuries or diseases.

SCARS and the members of the SCARS Team do not engage in any of the above modalities in relationship to scam victims. SCARS is not a mental healthcare provider and recognizes the importance of professionalism and separation between its work and that of the licensed practice of psychology.

SCARS is an educational provider of generalized self-help information that individuals can use for their own benefit to achieve their own goals related to emotional trauma. SCARS recommends that all scam victims see professional counselors or therapists to help them determine the suitability of any specific information or practices that may help them.

SCARS cannot diagnose or treat any individuals, nor can it state the effectiveness of any educational information that it may provide, regardless of its experience in interacting with traumatized scam victims over time. All information that SCARS provides is purely for general educational purposes to help scam victims become aware of and better understand the topics and to be able to dialog with their counselors or therapists.

It is important that all readers understand these distinctions and that they apply the information that SCARS may publish at their own risk, and should do so only after consulting a licensed psychologist or mental healthcare provider.

Opinions

The opinions of the author are not necessarily those of the Society of Citizens Against Relationship Scams Inc. The author is solely responsible for the content of their work. SCARS is protected under the Communications Decency Act (CDA) section 230 from liability.

Disclaimer:

SCARS IS A DIGITAL PUBLISHER AND DOES NOT OFFER HEALTH OR MEDICAL ADVICE, LEGAL ADVICE, FINANCIAL ADVICE, OR SERVICES THAT SCARS IS NOT LICENSED OR REGISTERED TO PERFORM.

IF YOU’RE FACING A MEDICAL EMERGENCY, CALL YOUR LOCAL EMERGENCY SERVICES IMMEDIATELY, OR VISIT THE NEAREST EMERGENCY ROOM OR URGENT CARE CENTER. YOU SHOULD CONSULT YOUR HEALTHCARE PROVIDER BEFORE FOLLOWING ANY MEDICALLY RELATED INFORMATION PRESENTED ON OUR PAGES.

ALWAYS CONSULT A LICENSED ATTORNEY FOR ANY ADVICE REGARDING LEGAL MATTERS.

A LICENSED FINANCIAL OR TAX PROFESSIONAL SHOULD BE CONSULTED BEFORE ACTING ON ANY INFORMATION RELATING TO YOUR PERSONAL FINANCES OR TAX-RELATED ISSUES AND INFORMATION.

SCARS IS NOT A PRIVATE INVESTIGATOR – WE DO NOT PROVIDE INVESTIGATIVE SERVICES FOR INDIVIDUALS OR BUSINESSES. ANY INVESTIGATIONS THAT SCARS MAY PERFORM IS NOT A SERVICE PROVIDED TO THIRD-PARTIES. INFORMATION REPORTED TO SCARS MAY BE FORWARDED TO LAW ENFORCEMENT AS SCARS SEE FIT AND APPROPRIATE.

This content and other material contained on the website, apps, newsletter, and products (“Content”), is general in nature and for informational purposes only and does not constitute medical, legal, or financial advice; the Content is not intended to be a substitute for licensed or regulated professional advice. Always consult your doctor or other qualified healthcare provider, lawyer, financial, or tax professional with any questions you may have regarding the educational information contained herein. SCARS makes no guarantees about the efficacy of information described on or in SCARS’ Content. The information contained is subject to change and is not intended to cover all possible situations or effects. SCARS does not recommend or endorse any specific professional or care provider, product, service, or other information that may be mentioned in SCARS’ websites, apps, and Content unless explicitly identified as such.

The disclaimers herein are provided on this page for ease of reference. These disclaimers supplement and are a part of SCARS’ website’s Terms of Use

Legal Notices: 

All original content is Copyright © 1991 – 2023 Society of Citizens Against Relationship Scams Inc. (Registered D.B.A SCARS) All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge.

U.S. State of Florida Registration Nonprofit (Not for Profit) #N20000011978 [SCARS DBA Registered #G20000137918] – Learn more at www.AgainstScams.org

SCARS, SCARS|INTERNATIONAL, SCARS, SCARS|SUPPORT, SCARS, RSN, Romance Scams Now, SCARS|INTERNATION, SCARS|WORLDWIDE, SCARS|GLOBAL, SCARS, Society of Citizens Against Relationship Scams, Society of Citizens Against Romance Scams, SCARS|ANYSCAM, Project Anyscam, Anyscam, SCARS|GOFCH, GOFCH, SCARS|CHINA, SCARS|CDN, SCARS|UK, SCARS|LATINOAMERICA, SCARS|MEMBER, SCARS|VOLUNTEER, SCARS Cybercriminal Data Network, Cobalt Alert, Scam Victims Support Group, SCARS ANGELS, SCARS RANGERS, SCARS MARSHALLS, SCARS PARTNERS, are all trademarks of Society of Citizens Against Relationship Scams Inc., All Rights Reserved Worldwide

Contact the legal department for the Society of Citizens Against Relationship Scams Incorporated by email at legal@AgainstScams.org