DNA Diagnostics Center to pay $400,000 fine for 2021 data breach

One of the largest commercial DNA testing companies in the world agreed to pay a $400,000 fine to Ohio and Pennsylvania after a 2021 data breach compromised the information of more than 2 million people. 

The announcement from DNA Diagnostics Center (DDC) comes after a lawsuit filed by the two states' attorneys general accused the company of waiting three months to even acknowledge the breach.

“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Pennsylvania's acting Attorney General Michelle Henry said. “That’s why my Office took action with the assistance of Attorney General Yost in Ohio.”

Of the 2.1 million people who had data leaked, 12,663 were from Pennsylvania and 33,282 were from Ohio. The leaked information included Social Security numbers and healthcare data.

Prosecutors for both states said the issue began with DDC's 2012 acquisition of Orchid Cellmark's government paternity business.

Investigators said DDC conducted a penetration test after the acquisition but only focused on databases with “active customer data.” By May 28, 2021, DDC received an automated alert from its managed service provider indicating that "suspicious activity" was occurring related to the Orchid Cellmark unit's network.

The same managed service provider repeatedly contacted DDC to warn them that the network was being accessed but was ignored until August, when the hacker installed Cobalt Strike malware. DDC kickstarted its incident response plan after that notice.  

The DDC investigation found that on May 24, someone logged into a company VPN using DDC credentials and used the access to obtain a directory of credentials for all accounts on the network. 

In total, the hacker accessed five servers and stole 28 databases, eventually contacting DDC in September 2021 demanding payment in exchange for the stolen data. DDC paid the hacker an undisclosed amount to delete the data. 

Prosecutors accused the company of violating several laws including the Consumer Protection Law due to their misrepresentation of efforts to protect consumer data. 

The DDC ended up agreeing to a five-year order that includes mandates to develop an information security program with safeguards on medical data within 180 days. DDC also has to hire an employee or a company to oversee their information security program. 

Security awareness training is also mandated in the order and the fines must be paid to both states within 30 days.

“Negligence is not an excuse for letting consumer data get stolen,” said Yost said. “We’re proud to partner with Pennsylvania to ensure that citizens’ personal data stays private — which consumers rightly expect.”

Correction (Feb. 27, 2023): A previous version of this story incorrectly stated that DNA Diagnostics Center acquired Orchid Cellmark, when the company only acquired a unit of that business.