FTC settles first case on privacy, security of genetic information with 1Health.io

1Health.io, formerly Vitagene, was ordered to pay $75,000 by the Federal Trade Commission (FTC) to settle charges that it failed to protect sensitive genetic and health data of consumers.

The settlement finalizes a complaint originally announced in June, which charged that the genetic testing firm failed to keep its promise to only share consumers’ sensitive data in limited circumstances.

1Health.io also failed to destroy customers’ DNA samples shortly after they had been analyzed, to not store DNA results with a consumer’s name or other identifying information and to remove such data from its servers upon consumers’ request, the FTC said. 

It was the first FTC case focused on both the privacy and security of genetic information, according to the agency. The $75,000 will be used to issue refunds to consumers.

1Health.io failed to protect users by storing unencrypted health, genetic and other personal information in publicly accessible data “buckets” on Amazon Web Services' cloud, per the complaint. The FTC alleged 1Health.io stored nearly 2,400 health reports about consumers and raw genetic data of at least 227 consumers.

The company also changed its privacy policy in 2020 by retroactively expanding the types of third parties it could share consumers’ data with but did not notify those affected nor obtain their consent, the FTC alleged.

There was “no record” of the information being exposed, but, since the files were not protected, they could have been accessed, 1Health.io told Bloomberg Law in a statement. “We notified all customers and provided a year of identity protection for free to those customers,” it said in the statement. 

As part of the settlement, 1Health.io must instruct third-party contract laboratories to destroy all consumer DNA samples that have been kept for more than 180 days. The order also prohibits 1Health.io from sharing health data with third parties without obtaining consumers’ express consent. The company must notify the FTC about incidents of unauthorized disclosure of consumers’ personal health data going forward and must implement a comprehensive information security program addressing the failures outlined in the complaint.

Security concerns related to genetic testing have grown in recent years. There are federal laws protecting consumers’ privacy, though experts caution they are not broad enough. The FTC has previously issued guidance on protecting consumer privacy for genetic testing companies, and, in the past few years, several states have beefed up privacy laws for at-home DNA tests.


FDA warns against relying on genetic screening tests to make prenatal diagnoses