Genetic testing company 1Health.io has reached a settlement with the Federal Trade Commission (FTC), agreeing to pay a $75,000 fine to resolve allegations of mishandling sensitive genetic and health data. The FTC accused the firm of retroactively changing its privacy policy without notifying and obtaining consent from customers, as well as misleading customers regarding data deletion options. The fine will be used for customer refunds.
Furthermore, the FTC’s finalized order mandates that 1Health.io, formerly known as Vitagene, instruct third-party labs to destroy consumer DNA samples stored for over 180 days and obtain explicit consent before sharing health data.
The company must also notify the FTC of any unauthorized health data sharing and establish a comprehensive information security program to address the security issues outlined in the complaint.
The complaint against 1Health.io, announced in June 2023, highlighted the company’s promise of “rock-solid security” to customers while storing sensitive, unencrypted genetic data in publicly accessible data buckets. This led to a charge of violating Section 5 of the FTC Act, which prohibits unfair or deceptive acts affecting commerce.
The firm collects DNA and health data from customers to generate reports, some costing up to $259, assessing health and genetic information for future health risk determination.
In a related case in May, the FTC accused another technology company, Easy Healthcare Corporation, of failing to protect sensitive health data. Easy Healthcare allegedly shared intimate information about ovulation, fertility, and other sexual and reproductive health issues with Chinese companies, Google, and AppsFlyer. The company was found in violation of the FTC Act and the Health Breach Notification Rule and agreed to cease data sharing and pay a $200,000 settlement fee.
Similarly, in February, discount prescription drug provider Good Rx paid a $1.5 million fine after the FTC found it had shared private health data with advertisers without notifying customers, violating the Health Breach Notification Rule.
