The Federal Trade Commission (FTC) has charged genetic testing company 1Health.io (formerly known as Vitagene) with multiple violations related to the privacy and security of DNA data. The company allegedly stored sensitive genetic and health information without encryption, deceived consumers about data deletion, and changed its privacy policy without proper notification. After being warned multiple times, 1Health.io finally investigated the issue in 2019 and notified affected customers. As part of a proposed settlement, the company will strengthen data protection measures and instruct third-party labs to destroy consumer DNA samples retained for over 180 days.
Under the proposed order, 1Health.io must pay $75,000, which will be used for consumer refunds. The company will also be prohibited from sharing health data with third parties without obtaining explicit consent from consumers. Any company that acquires 1Health.io’s business must adhere to the order’s provisions. Additionally, the company must report any unauthorized disclosure of personal health data to the FTC and implement a comprehensive information security program. The proposed consent agreement has been published in the Federal Register and is open for public comment for 30 days.
The FTC’s action aligns with its recent biometric policy statement, which aims to protect consumers from the misuse of biometric information. The proposed settlement carries the force of law and violations may result in civil penalties of up to $50,120.