FTC Order Requires Genetic Testing Firm to Secure Consumer Data, Delete Samples
The FTC finalized an order with 1Health.io that settles allegations the genetic testing firm left consumers’ sensitive genetic and health data unsecured, deceived customers’ about their ability to get data deleted and changed its privacy policy “retroactively without adequately notifying consumers and obtaining their consent,” said the FTC in a Thursday news release.
The FTC ordered 1Health.io to pay $75,000, to be used for consumer refunds it will administer, said Chair Lina Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya in their Tuesday decision and order (docket C-4798). The commission had "reason to believe” that 1Health.io violated the FTC Act, said the agency's June complaint.
The complaint alleged 1Health.io, formerly Vitagene, deceived consumers about its privacy and security practices. It failed to keep its promises to share consumers’ data only in “limited circumstances,” to destroy their DNA samples soon after they were analyzed, to not store DNA results with identifying information and to remove such data from its servers upon consumer request.
The order requires 1Health.io to not misrepresent the extent to which it meets industry-standard security and privacy practices and stores health information; the purposes for which it collects, uses and destroys a consumers’ physical DNA sample or personal information; the extent to which it complies with a security program sponsored by a government entity, third party or standards-setting organization; and approvals it receives for its claims and services.
1Health.io’s employees and agents are prohibited from disclosing any health information to a third party without an individual’s express consent, unless required by law, said the order. The company must instruct any laboratory that collected DNA saliva samples through a contract with an individual to destroy it after 180 days after its analysis. The company is required to implement a comprehensive security program to protect consumers’ personal information; assess and test the program at least once every 12 months; and adjust the program in response to changes at the company and technological advancements in methods to control privacy risks, it said.
1Health.io also is required to file a compliance report within 90 days describing in detail how it instructed labs to destroy saliva samples, said the order. A year from the signing of the order, the company must submit a compliance report describing the activities of its businesses, what personal information is collected and advertising and marketing activities. The order is effective for 20 years.