The Federal Trade Commission (FTC) has accused 1health.io, a genetic health testing company, of violating the privacy of sensitive genetic and health data. This case is part of a series of FTC actions targeting health data privacy, marking the first instance involving genetic information.
According to the FTC, 1health.io, previously known as Vitagene, allegedly deceived customers by misleading them about its privacy policy and retroactively changing it. The company also provided false information to customers regarding its data deletion process. As part of a settlement with the FTC, 1health.io will pay $75,000 for consumer refunds.
The FTC’s Bureau of Consumer Protection director, Samuel Levine, emphasized that companies cannot unilaterally modify privacy policies for previously collected data. The DNA test kits provided by Vitagene/1health.io offer reports containing personal details like ancestry and health risks. The company’s services cater to corporate and government clients.
The FTC complaint reveals that Vitagene stored around 2,400 records from at least 227 consumers in publicly accessible data repositories on Amazon Web Services. This exposure included sensitive consumer and raw genetic data, some of which was linked to consumers’ identities. Although Vitagene claimed not to store DNA results with identifying information, the FTC alleges that the company was warned multiple times about the publicly accessible, unencrypted health and user data.
The company only addressed the issue and informed customers in 2019 after a security researcher shared their findings with the media. Furthermore, the FTC accuses 1health.io of deceiving customers by failing to fulfill its promise of allowing them to delete their data at any time. Additionally, the company started sharing customer information with third parties without notifying customers of this change.
The proposed settlement agreement imposes several requirements on 1health.io. It must obtain affirmative customer consent before sharing health data with third parties, implement a new security program to address the concerns raised in the complaint, and promptly notify the FTC of any incidents involving unauthorized disclosure of consumer health data. The company must also dispose of all DNA samples retained for more than 180 days.
Before reaching a final settlement, the proposed agreement will be open to public comment for 30 days. Mehdi Maghsoodnia, CEO of 1health.io, criticized the FTC investigation as an instance of excessive government overreach. Maghsoodnia stated that the company discovered the inadvertent storage of a small number of customer files in a publicly accessible location in July 2019 but had no evidence of improper access. He expressed disagreement with many of the FTC’s conclusions and hoped to put the matter behind them.