The Federal Trade Commission has alleged that familial testing patient 1Health.io, besides known arsenic Vitagene, deceived group erstwhile it said it would dispose of their beingness DNA sample arsenic good arsenic their collected wellness data.
To make matters worse, nan FTC besides alleged successful a consent bid made nationalist past week that nan institution didn't unafraid nan accusation properly, and further, that it changed its privateness argumentation retroactively without decently notifying aliases getting consent from group whose information nan institution had already collected – group who had signed a different, earlier type of nan policy.
Under nan projected settlement, Vitagene/1Health.io will person to sharpen its information protection practices and put into spot procedures to support them sharp, arsenic good arsenic a salary a fine. The institution has neither admitted nor denied immoderate of nan allegations.
"Companies that effort to alteration nan rules of nan crippled by re-writing their privateness argumentation are connected notice," said Samuel Levine, head of nan FTC's Bureau of Consumer Protection. "The FTC Act prohibits companies from unilaterally applying worldly privateness argumentation changes to antecedently collected data."
The institution asks users to spit into a conduit and uses nan customer's familial data, successful operation pinch a wellness quiz, to cheque if a personification has, aliases whitethorn soon have, definite wellness conditions. After a personification buys a merchandise package from that costs betwixt $29 and $259, nan institution gives them a study astir their health, wellness, and ancestry.
According to nan order [PDF], nan company, which nan FTC said besides trades arsenic Vitagene, "identifies salient genotype data, pertinent questionnaire answers, and, based connected nan genotype information and questionnaire answers, nan level of consequence for having aliases processing definite wellness conditions, specified arsenic precocious LDL cholesterol, precocious triglycerides, obesity, aliases humor clots."
The document, which proposes a colony of $75,000 and to extract a committedness from nan institution to constabulary its information protection, claims that Vitagene did not securely shop consumers' wellness reports and earthy genotype data.
100 points to whoever guesses what comes next. The bid goes connected to declare it was each bunged successful Amazon S3 buckets, and that nan containers' entree controls were conspicuous by their absence.
In each fairness, misconfigurations of Amazon's unreality buckets are common, moreover aft AWS introduced a caller group of controls successful 2018 to group "blanket policies" blocking nationalist entree to unreality retention from being enabled that you tin use to your S3 buckets via entree power lists.
- Hijacked S3 buckets utilized successful attacks connected npm packages
- Lantum S3 bucket leak is medicine for chaos for thousands of UK doctors
- Another information calamity for Capita: An unsecured AWS bucket
- Amazon slaps automatic encryption connected S3 data
Bloomberg reported connected nan leak backmost successful 2019, saying nan institution had near people's wellness records publically accessible for years.
Vitagene told nan newswire astatine nan clip that nan files dated from erstwhile nan institution was successful beta testing and affected a mini fraction of its customer base.
The FTC's caller bid goes connected to item different count from nan projected title alleging Vitagene posted revised privateness policies connected its websites successful April and December 2020 that described "materially expanded practices for nan company's sharing of consumers' delicate wellness and familial accusation pinch 3rd parties." According to nan commission, this included nan accusation of consumers who purchased products and services from nan institution earlier April 2020 — "without taking immoderate further steps to notify consumers aliases get consumers' consent."
The FTC said nan projected bid contained "provisions" to reside Vitagene's behaviour and forestall it from "engaging successful nan aforesaid aliases akin acts aliases practices successful nan future."
Mehdi Maghsoodnia, CEO of 1Health, told The Register successful a statement: "In July 2019, we were for nan first alerted to nan truth that a mini number of customer files had been inadvertently stored successful a publically accessible location. There is nary grounds these customer files were improperly accessed.
"In response, nan FTC launched an investigation which has now dragged connected for astir 4 years. This is simply a lawsuit of bonzer authorities overreach. Ultimately, we disagree pinch galore of nan FTC's conclusions. But we look guardant to yet putting this matter down us." ®