FTC accuses DNA testing company of lying about dumping samples

The Federal Trade Commission has alleged that genetic testing firm 1Health.io, also known as Vitagene, deceived people when it said it would dispose of their physical DNA sample as well as their collected health data.

To make matters worse, the FTC also alleged in a consent order made public last week that the company didn't secure the information properly, and further, that it changed its privacy policy retroactively without properly notifying or getting consent from people whose data the company had already collected – people who had signed a different, earlier version of the policy.

Under the proposed settlement, Vitagene/1Health.io will have to sharpen its data protection practices and put into place procedures to keep them sharp, as well as a pay a fine. The company has neither admitted nor denied any of the allegations.

"Companies that try to change the rules of the game by re-writing their privacy policy are on notice," said Samuel Levine, director of the FTC's Bureau of Consumer Protection. "The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data."

The company asks users to spit into a tube and uses the customer's genetic data, in combination with a health quiz, to check if a user has, or may soon have, certain health conditions. After a user buys a product package from that costs between $29 and $259, the company gives them a report about their health, wellness, and ancestry.

According to the order [PDF], the company, which the FTC said also trades as Vitagene, "identifies salient genotype data, pertinent questionnaire answers, and, based on the genotype data and questionnaire answers, the level of risk for having or developing certain health conditions, such as high LDL cholesterol, high triglycerides, obesity, or blood clots."

The document, which proposes a settlement of $75,000 and to extract a promise from the company to police its data protection, claims that Vitagene did not securely store consumers' health reports and raw genotype data.

100 points to whoever guesses what comes next. The order goes on to claim it was all bunged in Amazon S3 buckets, and that the containers' access controls were conspicuous by their absence.

In all fairness, misconfigurations of Amazon's cloud buckets are common, even after AWS introduced a new set of controls in 2018 to set "blanket policies" blocking public access to cloud storage from being enabled that you can apply to your S3 buckets via access control lists.

• Hijacked S3 buckets used in attacks on npm packages
• Lantum S3 bucket leak is prescription for chaos for thousands of UK doctors
• Another security calamity for Capita: An unsecured AWS bucket
• Amazon slaps automatic encryption on S3 data

Bloomberg reported on the leak back in 2019, saying the company had left people's health records publicly accessible for years.

Vitagene told the newswire at the time that the files dated from when the company was in beta testing and affected a small fraction of its customer base.

The FTC's recent order goes on to detail another count from the proposed complaint alleging Vitagene posted revised privacy policies on its websites in April and December 2020 that described "materially expanded practices for the company's sharing of consumers' sensitive health and genetic information with third parties." According to the commission, this included the information of consumers who purchased products and services from the company before April 2020 — "without taking any additional steps to notify consumers or obtain consumers' consent."

The FTC said the proposed order contained "provisions" to address Vitagene's conduct and prevent it from "engaging in the same or similar acts or practices in the future."

Mehdi Maghsoodnia, CEO of 1Health, told The Register in a statement: "In July 2019, we were for the first alerted to the fact that a small number of customer files had been inadvertently stored in a publicly accessible location. There is no evidence these customer files were improperly accessed.

"In response, the FTC launched an investigation which has now dragged on for nearly four years. This is a case of extraordinary government overreach. Ultimately, we disagree with many of the FTC's conclusions. But we look forward to finally putting this matter behind us." ®