FTC & State AG

FTC Continues Enforcement of Health Data Privacy and Security

Published: Sep. 13, 2023

Updated: Sep. 21, 2023

The FTC finalized an order against 1Health.io (formerly Vitagene), alleging that the company misrepresented consumers’ rights regarding their genetic and health data, including the ability to have their data deleted; inadequately secured such data; and retroactively and materially changed the privacy policy without notification or consent.

The order signals the FTC’s continued efforts to broaden enforcement for consumer health data. The order also suggests a broader definition of health data than existing law provides, including any individually identifiable information concerning the “propensity” of an individual to develop a health condition.

Background and Allegations Against 1Health.io

1Health.io markets DNA health test kits where, after submitting DNA samples, consumers may receive information relating to their health, wellness, and ancestry. Based on these DNA samples and a consumer’s responses to a questionnaire seeking health information, the company also markets health reports of a consumer’s likelihood of developing certain diseases based on their genetic makeup, and offers personalized nutritional, fitness, and beauty products and subscriptions.

In its complaint, the FTC alleged misrepresentation unfairness claims. First, the FTC alleged that 1Health.io misrepresented its data security practices, including that 1Health.io falsely represented in marketing materials that it stored names and other identifying information separately from DNA results and falsely described its security practices as exceeding industry standards. In actuality, according to the complaint, 1Health.io stored DNA results with identifiable information, including in publicly accessible cloud storage. The complaint also alleged a failure to implement adequate access controls, encryption, logging, and inventory practices. Second, the FTC alleged that 1Health.io misled customers to believe that they could request their information to be deleted. However, the company did not contractually require its third-party laboratories to destroy DNA samples and, in some instances, could not fulfill deletion requests due to an inadequate data inventory. Third, the FTC alleged that 1Health.io unfairly adopted material retroactive changes to its privacy policy without adequate notice and consent, broadening the categories of third parties with whom the company shared health data.

Final Order

The final order requires 1Health.io to take several remedial measures, and to provide existing customers with options to effectuate the deletion of their data and to potentially seek a refund for their product purchases.

Among its remedial measures, the order requires 1Health.io to pay $75,000 in monetary relief, obtain affirmative express consent prior to disclosing health data to third parties, and instruct its contracted third-party laboratories to destroy any DNA samples they retained past 180 days and provide written confirmation to the FTC of such deletions. The order also requires 1Health.io to create and maintain a comprehensive security program (subject to various certification and assessment requirements), notify the FTC of any security incidents related to health data, and undertake initial and biennial privacy assessments by an independent, third-party assessor for 20 years.

Takeaways

The FTC’s order against 1Health.io reinforces many of its prior concerns related to health data, and suggests the following takeaways:

  1. Companies looking to update their privacy policies should evaluate whether such changes constitute material retroactive changes, along with any applicable notice and consent requirements.
  2. Companies should evaluate whether their current security practices align with any public-facing representations, including in their privacy policies.
  3. Companies should audit their contracts with service providers and business partners to determine whether the company can fulfill its public-facing representations concerning its data practices.
  4. Companies that collect or generate information about the “propensity” of an individual to develop a health condition, including any predictions about likely physical or mental health conditions associated with an individual, should consider additional review of its privacy and security practices to confirm they comply with state and federal privacy and security requirements.