Ohio DNA Testing Firm Notifies 2.1 Million People About Breach of Personal Information

An Ohio-based DNA testing company has recently disclosed a hacking incident that involved the sensitive data of 2,102,436 individuals. DNA Diagnostics Center (DDC) said it detected suspicious activity in its network on August 6, 2021, and confirmed unauthorized individuals had accessed and acquired files from an archived database between May 24, 2021, and July 28, 2021.

The data breach investigation confirmed that the files exfiltrated by the attackers contained full names, credit/debit card numbers and CVV codes, financial account numbers, Social Security numbers, and platform account passwords. The company said genetic testing data were stored on a separate system that was not accessed by the hackers and no data related to its current operations were stolen in the cyberattack.

The database contained backups made between 2004 and 2012 that were associated with a national genetic testing organization that DDC acquired in 2012. DDC said the legacy system that was accessed had never been used in DDC’s operations and that the system has been inactive since 2012. DDC did not disclose the name of the genetic testing company that collected the data. It is likely that people affected by the breach are unaware that DDC was storing their personal information.

DDC stated files were exfiltrated from its systems and it is working with third-party cybersecurity experts to recover the stolen data and ensure no further disclosures are made by the attackers. Ransomware was not used in the attack, although it would appear that the attackers are demanding payment to destroy the data.

DDC said it is unaware of any actual or attempted misuse of patient data but, as a precaution against identity theft and fraud, affected individuals have been offered a 12-month membership to Experian’s credit monitoring and identity theft protection service.

Notification letters have been sent to affected individuals in accordance with state laws. DDC confirmed the data breach is not a reportable breach under the Health Insurance Portability and Accountability Act (HIPAA).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.