DNA-testing service Vitagene Inc. left thousands of consumers' health reports exposed online that contained their full names, dates of birth and gene-based health information, such as their likelihood of developing certain medical conditions.
More than 3,000 user files remained accessible to the public on Amazon Web Services cloud-computer servers until July 1, when Vitagene was notified of the issue and shut down external access to the sensitive personal information, according to documents obtained by Bloomberg.
A Vitagene spokeswoman confirmed the breach.
"In late June we were informed of a potential security breach in our cloud infrastructure. A small fraction of customers from 2015 to 2017 might have had their information exposed on the Internet," the spokeswoman said in a statement. "We are investigating to find out if anyone’s data was accessed or downloaded by an unauthorized individual. We will notify all affected customers as soon as our investigation is completed.'
"We take privacy matters very seriously and are working hard to ensure our customer's information is protected at all times," the spokeswoman said.
The incident, which exposed clients' health information online for several years, comes amid increasing concerns about protections for the privacy of customers' generic and medical data.
Two Senate lawmakers introduced a bill in June that would create new privacy regulations protecting consumer health data collected through health tracking apps, fitness wearables, and direct-to-consumer DNA testing kits. The bill, introduced June 14, would set a new federal standard for biometric consent, the lawmakers said.
Current laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA) do not adequately address the emerging privacy concerns presented by these technologies, according to Sens. Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska), who introduced the bill.
Vitagene is a DNA-based personalization platform for health and wellness. Leveraging the latest developments in clinical research combined with an individual’s genetic makeup, lifestyle choices, medications, and medical history, Vitagene recommends actionable plans to meet an individual’s health and wellness goals, the company said.
Vitagene said the files dated from when the company was in “beta” testing and represented a small fraction of its customer base, according to Bloomberg.
Vitagene customer records were created from 2015 to 2017. Some of the documents included clients’ contact information, such as some work email addresses, making it easier to confirm people’s identities, Bloomberg reports.
"We immediately opened an investigation and blocked access to the files,” Chief Executive Officer Mehdi Maghsoodnia said in an email to Bloomberg. “We updated our security protocols in 2018 and have engaged an outside security firm to run external and internal penetration testing across our application. As a team we acknowledge our mistake and will keep ourselves accountable. We hope over time to prove that we are worthy of the trust that is given to us every day.”
On its website, Vitagene said, "Vitagene collects, processes, and stores your personal information in a responsible, transparent and secure environment that fosters our customers’ trust and confidence. We use industry-standard security practices to store your DNA sample, results, and any personal data you provide."
Matthew Fisher, a partner with Boston-based law firm Mirick O’Connell and chair of the firm's health law group, told Fierce Healthcare that even if personal identifiers are not directly attached to the exposed data, the genetic information could likely be easily tied back to an individual. "Especially in this age with so much information available online," he said.
"If that occurs, then there could be far-reaching impact for the individuals involved since use of the data could be quite expansive. The data will be valuable for any number of purposes given that raw genetic data could form the basis for a lot of different issues. Given the scope of data involved, I suspect that there will be more ramifications than expected and that issues will pop up for years," Fisher said.
"This is a significant event and one that should get the attention of anyone collecting, using or providing genetic information, regardless of if they are a HIPAA covered entity, a business associate or just have very personal, identifiable data," David Finn, executive vice president of strategic innovation at cybersecurity firm Cynergistek told Fierce Healthcare.
The data privacy incident also follows quickly on the Sandia National Lab warning issued July 2 about a vulnerability on one common open-source software for genomic analysis.
"That warning is a clear message that this type of data is going to be a target," Finn said.
Finn noted that most consumers don’t understand how their data is used and very little insight into the protections and assurances that are being provided. "There does need to be better security and we need privacy regulations but every individual needs to understand what they are 'giving away' and how it might be used," he said.
While direct-to-consumer DNA testing services are not regulated by HIPAA rules, if appropriate measures were not taken to protect the privacy and security of the data, the Federal Trade Commission could potentially pursue an action if the failures were significant enough, Fisher said.
There also could be state law-based claims as genetic information does receive special protection at times, he said.
Vitagene emphasized that no credit card data, passwords or other sensitive financial information was exposed, Bloomberg reported.
There were almost 300 files that contained people’s raw genotype DNA data in massive blocks of code accessible to public viewing but understood only by someone familiar with the science of human genomes. Almost a third of that data was exposed with the user’s first name, Bloomberg reported.