HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Direct-to-Consumer DNA Testing Company Exposed Personal Information Online

San Francisco, CA-based Vitagene, a health tech company that provides direct-to-consumer DNA-testing services, has inadvertently exposed the personal and genealogy information of thousands of customers to unauthorized access over the Internet.

The Vitagene DNA testing service is part of a DNA-based personalized health and wellness platform. Individuals undergo genetic testing to determine their likelihood of developing certain diseases. Vitagene then develops a personalized health and wellness action plan tailored to the individual.

During beta testing, patient records were uploaded to Amazon Web Services cloud servers, but security controls had not been configured correctly. The files could be viewed by anyone without the need for any authentication. Vitagene became aware of the problem in late June and by July 1, external access to customer files was blocked.

A spokesperson for Vitagene confirmed that the breach had impacted a small number of its customers who had used its DNA-testing service between 2015 and 2017. The exposed records contained information such as names, addresses, telephone numbers, and personal and work email addresses.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Approximately 300 files contained raw genotype data. Members of the public could have viewed the information, but it would have been difficult for anyone to understand the data unless they had an understanding of genomics.

Approximately 3,000 individuals are believed to have been affected. Those individuals will be notified once the breach investigation has been completed. Vitagene is currently trying to determine whether any customer information was accessed during the time it was available online.

“We updated our security protocols in 2018 and have engaged an outside security firm to run external and internal penetration testing across our application,” said Chief Executive Officer Mehdi Maghsoodnia. “As a team we acknowledge our mistake and will keep ourselves accountable. We hope over time to prove that we are worthy of the trust that is given to us every day.”

Direct-to-consumer DNA testing services are not classed as covered entities under HIPAA and are therefore not subject to its regulations. Many consumers do not realize these types of services are not covered by HIPAA and that they do not have the same rights with respect to their data.

There have been calls for HIPAA’s reach to be extended to include DNA testing services. A bipartisan group of senators has introduced a bill that aims to address the current security gaps and help ensure that consumers privacy is protected when using direct-to-consumer genetic testing services and health apps.

The Department of Health and Human Services’ Office for Civil Rights cannot take action over the breach, but the Federal Trade Commission (FTC) could issue a fine and state attorneys general could take action if there have been violations of state laws.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.