The issue, according to the FTC, was the company incurred security lapses that could have put consumer data at risk. There are no allegations, however, that any consumer data was inappropriately seized by third parties.
“Companies that try to change the rules of the game by rewriting their privacy policy are on notice,” Samuel Levine, director of the FTC’s bureau of consumer protection, said in a press release. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”
According to the FTC’s complaint, the company failed to keep several core promises, including its claims that it would not store DNA results with a customer’s name or other identifying information; that consumers could delete their personal information at any time, wiping it from the company’s servers; and that it would destroy DNA saliva samples shortly after they were analyzed.
Moreover, the company did not have agreements in place with third parties requiring them to destroy DNA samples, raising questions about what might have happened to the samples, the FTC said.
The FTC also accused Vitagene of failing to protect its electronic data. The company left about 2,400 health reports about consumers as well as the raw genetic data of at least 227 consumers — sometimes accompanied by a first name in publicly accessible Amazon Web Services “buckets” — without configuring the security settings properly. An unnamed cybersecurity researcher found this public data online and contacted the company, according to the FTC’s complaint.
In a statement to The Washington Post, CEO Mehdi Maghsoodnia criticized the regulatory action as “extraordinary overreach” by the FTC.
“Ultimately, we disagree with many of the FTC’s conclusions,” Maghsoodnia said. “But we look forward to finally putting this matter behind us.”
As part of a proposed order against the company, 1Health.io is required to pay $75,000 in consumer refunds. It will also face numerous cybersecurity restrictions, including a prohibition against sharing health data with third parties; ensuring that the FTC is notified about any unauthorized disclosure of consumer data; and implementing a comprehensive information security plan.