Categories: Agency Information, Privacy and Security, Privacy and Security Law
, ,

A recent enforcement action by the Federal Trade Commission (“FTC”) against 1Health.io—which sells “DNA Health Test Kits” to consumers for health and ancestry insights—serves as a reminder that the FTC is increasingly exercising its consumer protection authority in the context of privacy and data protection. This is especially true where the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) does not reach. The FTC’s settlement with 1Health.io highlights a wide-range of privacy and security issues companies should consider relating to best practices for updating privacy policies, data retention policies, configuration of cloud storage and vendor management, especially when handling sensitive genetic data. 

Alleged Privacy and Security Violations

The FTC alleged 1Health.io committed a number of violations. One noteworthy allegation was that 1Health.io’s “material” change to its privacy policy, which had retroactive effect without additional notice or consent, was an unfair act or practice. This is consistent with the FTC’s position in prior cases. The policy change at issue involved expanding the categories of third parties with whom the company shares consumers’ data to include pharmacies, supermarket chains, nutrition and supplement manufacturers, and other providers and retailers. The FTC alleged these material changes harmed consumers who provided personal information predicated on an earlier version of the privacy policy, but who were not subsequently given appropriate notice, nor asked to consent to the newer expanded data sharing language. 

The FTC also alleged that 1Health.io stored customers’ genetic data in a publicly accessible “bucket” provided by Amazon Web Services (“AWS”), despite being notified of such during a penetration test of its web application, and by AWS itself. According to the complaint, in an email to 1Health.io, AWS warned 1Health.io that one or more of its storage buckets was “configured to allow read access from any user on the Internet.” 1Health.io allegedly did not correct the issue in time—about two years later, a “security researcher” sent 1Health.io a link to the publicly accessible data, but also notified the news media, resulting in numerous complaints from customers.

The FTC further alleged that, among other things, the public accessibility of consumer information resulted in a false or misleading statement in 1Hleath.io’s privacy policy.  Specifically, the FTC alleged that, because 1Health.io did not have an “inventory” of the data stored in the public AWS bucket, “in at least some instances, [1Health.io] could not delete all consumer information for consumers who requested deletion of their data,” as it promised to do in its privacy policy.

Additionally, according to the complaint, 1Health.io’s FAQs stated that DNA saliva samples would be destroyed after analysis. However, the FTC alleged that the company failed to require one of its vendors—a genotyping laboratory partner—to destroy saliva samples after they were analyzed.

Lessons Learned

There are several takeaways from the 1Health.io action. First, companies should carefully consider implications when making “material” changes to privacy policies governing consumers’ data, especially when sensitive data is implicated. While logistically challenging, in some situations, consent should be considered to minimize risk. Second, companies should carefully, and periodically, review data shared with vendors, including cloud providers, to ensure such vendor systems are configured to secure data from unauthorized access. Simple changes can minimize the risk of security incidents. Third, public-facing statements in privacy policies and even FAQs should always be consistent with business practices. Finally, companies ought to establish, communicate and abide by appropriate retention policies for consumer data.

These lessons learned are important to companies to consider when developing data governance programs guided by good data stewardship principles and fair information practices. You can learn more about developing a “Culture of Data Governance” by clicking the link here.

****

Epstein Becker Green will be closely following developments related to FTC enforcement in the privacy and data protection space.  For additional information about the issues discussed above, or if you have any other privacy, cybersecurity, and data asset management concerns, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or one of the authors of this blog post. Read more about our expansive capabilities and offerings here.

Tags: 1Health.io, Accessible Data, Alaap B. Shah, Alexander Franchilli, Amazon Web Services, Cybersecurity, data protection, Federal Trade Commission, FTC, FTC Enforcement, genetic testing, Health Insurance Portability and Accountability Act of 1996, HIPAA, privacy and security, Privacy and Security Violations, Privacy Attorney, Privacy Policy, Rebecca Porter
Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.