25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Ohio DNA Testing Firm Notifies 2.1 Million People About Breach of Personal Information

Posted By on Dec 2, 2021

An Ohio-based DNA testing company has recently disclosed a hacking incident that involved the sensitive data of 2,102,436 individuals. DNA Diagnostics Center (DDC) said it detected suspicious activity in its network on August 6, 2021, and confirmed unauthorized individuals had accessed and acquired files from an archived database between May 24, 2021, and July 28, 2021.

The data breach investigation confirmed that the files exfiltrated by the attackers contained full names, credit/debit card numbers and CVV codes, financial account numbers, Social Security numbers, and platform account passwords. The company said genetic testing data were stored on a separate system that was not accessed by the hackers and no data related to its current operations were stolen in the cyberattack.

The database contained backups made between 2004 and 2012 that were associated with a national genetic testing organization that DDC acquired in 2012. DDC said the legacy system that was accessed had never been used in DDC’s operations and that the system has been inactive since 2012. DDC did not disclose the name of the genetic testing company that collected the data. It is likely that people affected by the breach are unaware that DDC was storing their personal information.

DDC stated files were exfiltrated from its systems and it is working with third-party cybersecurity experts to recover the stolen data and ensure no further disclosures are made by the attackers. Ransomware was not used in the attack, although it would appear that the attackers are demanding payment to destroy the data.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

DDC said it is unaware of any actual or attempted misuse of patient data but, as a precaution against identity theft and fraud, affected individuals have been offered a 12-month membership to Experian’s credit monitoring and identity theft protection service.

Notification letters have been sent to affected individuals in accordance with state laws. DDC confirmed the data breach is not a reportable breach under the Health Insurance Portability and Accountability Act (HIPAA).

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist