Genetic testing firm accused by FTC of violating customers’ privacy
The Federal Trade Commission is accusing the genetic testing firm 1Health.io of allegedly failing to secure customers’ genetic and health data and for duping them about the potential for getting their data erased.
The agency also said 1Health failed to adequately notify customers about changes to its privacy policy.
Under the terms of a proposed settlement announced on Friday, the firm will be forced to direct third-party contract laboratories to throw away DNA samples held for more than 180 days and bolster protections for genetic data overall. It also will pay $75,000 in fines, which the FTC said will be used to offer consumer refunds.
“Companies that try to change the rules of the game by rewriting their privacy policy are on notice,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a prepared statement. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”
1Health could not immediately be reached for comment.
Based in California, 1Health — also known as Vitagene, Inc. — allegedly gathered extensive DNA and other health and ancestry information from customers, charging as much as $259 for their product. Among other things, the reports they produce for consumers include detailed health and genetic data, extrapolating from the data to assess individuals’ risk for future health problems.
1Health’s website boasted about “rock-solid security” and pledged to consumers that it “collects, processes, and stores your personal information in a responsible, transparent and secure environment,” the FTC said in a press release.
However, the FTC alleged that from 2017 until 2020 the company asserted it rarely shared sensitive health data, but that beginning in 2016 it failed to apply a policy that would confirm labs analyzing DNA samples had destroyed them. In 2020, 1Health tweaked its privacy policy, according to the FTC, and began retroactively offering customers’ data to supermarket chains and nutrition manufacturers. Customers were not notified of the change, the agency alleges.
The case is the FTC’s first to hone in on both the privacy and security of genetic information, the press release said.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.