FTC settles with genetic testing firm accused of violating customer privacy

The genetic testing firm 1Health.io will pay the Federal Trade Commission (FTC) a $75,000 fine to resolve allegations that it failed to secure sensitive genetic and health data, retroactively overhauled its privacy policy without notifying and obtaining consent from customers whose data it had obtained, and tricked customers about their ability to delete their data.

The fine will be used toward customer refunds, the agency said.

1Health.io, a startup based in San Francisco, completed a $6.2 million funding round in July.

The FTC’s finalized order announced Thursday also requires 1Health.io, formerly known as Vitagene, to tell third-party contract laboratories to destroy samples of consumer DNA that have been stored for more than 180 days.

1Health.io also is barred from sharing health data, including any provided by consumers before or after its 2020 privacy policy change, without obtaining customers’ “affirmative express consent.” The firm also must now alert the FTC to incidents where consumers’ personal health data is shared without their consent and build a “comprehensive information security program addressing the security failures outlined in the complaint,” according to the agency.

The complaint, which was announced in June 2023, cited the fact that 1Health.io promised customers “rock-solid security,” even as it stored sensitive unencrypted genetic data in what the FTC called “publicly accessible data buckets.”

The company was charged with violating Section 5 of the FTC Act, which prohibits ''unfair or deceptive acts or practices in or affecting commerce.”

The company allegedly gathers DNA and other health and ancestry information from customers to produce reports costing as much as $259 which include health and genetic data. The company says it uses that data to determine customers’ risk for future health problems.

In May, the FTC accused another technology company of failing to protect consumers’ sensitive health data. The agency alleged that Easy Healthcare Corporation shared “intimate” facts about ovulation, fertility, and other sexual and reproductive health issues with two Chinese companies as well as Google and AppsFlyer. Easy Healthcare violated the FTC Act and the Health Breach Notification Rule, according to the agency.

Under the terms of its settlement, Premom agreed to stop sharing the data and paid a $200,000 settlement fee.

Good Rx, a discount provider of prescription drugs, agreed to pay a $1.5 million fine in February after the FTC said it failed to alert customers that it shared their private health data with advertisers. The company was accused of breaking the FTC’s Health Breach Notification Rule for sharing customer information with companies including Facebook and Google without alerting them to the practice.