Vitagene is in the process of investigating a data breach which has resulted in sensitive information of 3,000 customers from being exposed online.
Vitagene, based in San Francisco, CA, provides direct-to-consumer DNA-testing services such as genealogy information and health analysis. Individuals send Vitagene genetic samples which are analyzed to the individual’s likelihood of developing specific health issues. Vitagene then develops a personalized health and wellness action plan tailored to the individual.
While still in their initial testing period, Vitagene uploaded patient records were Amazon Web Services cloud servers. However, the organization failed to ensure that the security controls had been correctly configured. As a result, unauthorized individuals were able to access patient files through the Internet. Vitagene became aware of the problem in late June. External access to consumer files was blocked on July 1, 2019.
The exposed records contained information such as names, addresses, telephone numbers, and personal and work email addresses. According to a spokesperson Vitagene, the breach only affected a small number of its customers who had used its DNA-testing service between 2015 and 2017. It is estimated that approximately 3,000 people have been affected.
Approximately 300 files contained unprocessed genetic data. Although anybody with an Internet connection may have accessed this information, a thorough knowledge of genetics would have been needed to comprehend the data.
Vitagene is still in the process of investigating the breach. Once the investigation has been concluded, Vitagene will send breach notification letters to those affected. Vitagene is currently trying to determine whether any unauthorized individual accessed, downloaded, or altered customer information while it was publicly available.
“We updated our security protocols in 2018 and have engaged an outside security firm to run external and internal penetration testing across our application,” said Chief Executive Officer Mehdi Maghsoodnia. “As a team, we acknowledge our mistake and will keep ourselves accountable. We hope over time to prove that we are worthy of the trust that is given to us every day.”
The Health Insurance Portability and Accountability Act does not cover direct-to-consumer DNA testing services. Many consumers do not realize HIPAA does not cover these types of services and that they do not have the same rights concerning their data.
Due to the considerable rise in the number of organizations collecting individual’s genetic data to provide these services, many experts have called for HIPAA to regulate these DNA testing services. A bipartisan group of senators has introduced a bill that aims to address the current security gaps and help ensure that consumers privacy is protected when using direct-to-consumer genetic testing services and health apps.
The Department of Health and Human Services’ Office for Civil Rights cannot take action over the breach, but the Federal Trade Commission (FTC) could issue a fine, and state attorneys general could take action if there have been violations of state laws.