Direct-to-Consumer DNA Testing Company Breach Not Covered by HIPAA

Vitagene is a San Francisco, CA-based health tech company offering direct-to-consumer DNA-testing services. Vitagene accidentally allowed unauthorized access of the private and genealogy information of its customers online.

The Vitagene DNA testing service serves as the basis for creating personalized health and wellness program. People have their genetic testing to know their chances of getting certain disorders. Vitagene then makes an individualized health and wellness program tailored to a person’s needs.

During its beta testing, Vitagene uploaded the records of patients to the servers of Amazon Web Services. But the security controls were misconfigured. Anyone could access the files with no authentication required. Vitagene became aware of this issue in late June and stoped public access to the patients records on July 1.

A Vitagene representative made an announcement that the breach affected only the customers who acquired DNA-testing services for the year 2015 – 2017. The exposed information included patient names, addresses, contact numbers, private and company email addresses.

About 300 records had raw genotype data. Somebody could have seen the exposed information, but he/she probably wouldn’t understand it unless if he/she understands genomics.

The breach could have affected around 3,000 people. Notifications will be sent immediately after the breach investigation is completed. At this time, Vitagene is striving to know if the information was accessed over the internet when it was available.

CEO Mehdi Maghsoodnia reported that Vitagene’s security protocols was updated in 2018. A third party security firm even conducted external and internal penetration tests throughout its application. Vitagene admitted its shortcoming and took responsibility for the incident.

Many consumers do not know that direct-to-consumer DNA testing services are not covered entitites under HIPAA. Because they are not required to comply with HIPAA regulations, the consumers’ rights to data privacy aren’t similar.

Lawmakers are called upon to revise the coverage of HIPAA and include companies offering DNA testing services. There is currently a group of senators that introduced a bill seeking to address these issues and further protect the privacy of consumers utilizing direct-to-consumer genetic testing services and health apps.

The Department of Health and Human Services’ Office for Civil Rights can’t take action on the breach. It is the mission of the Federal Trade Commission (FTC) to issue a penalty and state attorneys general to take action if state laws are violated.