DNA Diagnostics Center (DDC), a leading global DNA-testing firm specializing in diagnostic and genetic testing for fertility, health, and relationship queries, has agreed to pay $400,000 to settle a lawsuit with Acting Attorney General Michelle A. Henry over a data breach. The company has also agreed to implement a comprehensive information security program to prevent future breaches.
The breach was discovered on August 6, 2021, when DDC detected suspicious activity that showed that an unauthorized individual had accessed archived databases between May 24 and July 28, 2021. The breach put the confidential data of 33,300 people in Pennsylvania and 12,600 in Ohio at risk, including personal information such as social security numbers, names, and payment details.
It was discovered that the databases had been acquired by DDC from Orchid Cellmark in 2012, with the company unaware of their existence until the breach occurred, nine years after the acquisition. Although DDC had conducted penetration tests and an inventory assessment, these only identified active customer data and did not reveal the archived databases.
The breach occurred due to a failure in DDC’s cybersecurity measures. While DDC had employed a third-party monitoring service for data breaches, employees failed to respond for two months after receiving automated email alerts from the service. During this time, a malware attack – Cobalt Strike – took place, and data was extracted. The hacker requested payment for the data’s return and deletion, which DDC paid.
The investigation by the state attorneys general discovered that DDC had engaged in unfair business practices by making false statements regarding the protection of their customers’ private information. The company had also failed to introduce appropriate safety measures to prevent unauthorized access to their computer networks, which represented a breach of Consumer Protection Law.
Acting Attorney General Michelle A. Henry expressed her satisfaction with the hard work done by agents and attorneys to protect the confidential data of Pennsylvanians. She stated that “The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes. That’s why my Office took action with the assistance of Attorney General Yost in Ohio. I am proud of the work our agents and attorneys do every day to protect Pennsylvanians’ most sensitive information.”
In addition to the $400,000 settlement, DDC has agreed to implement a comprehensive information security program. The program requires the company to specify a staff member to manage and monitor the security program, conduct an annual security risk examination of the networks that store personal information, create and sustain a complete record of the entire network, implement and sustain sensible security measures for the protection and storage of personal data, and detect and respond quickly to any suspicious activity on the network.
The incident serves as a reminder of the importance of cybersecurity measures, particularly in companies that handle sensitive personal information. The settlement and the comprehensive information security program implemented by DDC will hopefully serve as a precedent for other companies to follow in order to prevent data breaches and ensure the protection of their customers’ personal information.