Patient Records of Direct-to-Consumer DNA Testing Company Exposed Online


Vitagene is a health tech firm based in San Francisco, CA that offers services of direct-to-consumer DNA-testing. Vitagene accidentally exposed the private and genealogy data of a large number of its customers because of unauthorized access on the web.

The Vitagene DNA testing service is one componenet of a DNA-based individualized health and wellness program. People get genetic testing to find out their probability of having particular diseases. Vitagene then creates a personalized health and wellness program customized to the individual.

In the beta testing, Vitagene uploaded patient records to the cloud servers of Amazon Web Services. However, there was misconfiguration of security controls. Anybody could view the files without requiring any authentication. Vitagene knew about this problem in late June and blocked access to the customer files on July 1.

A Vitagene spokesperson made a statement that the breach impacted a few customers who received DNA-testing services from 2015 to 2017. The exposed records included the following information: names, addresses, phone numbers, and personal and company email addresses.

Roughly 300 files included raw genotype information. It’s possible that someone has seen the information, but he/she most likely did not understand the data except if he/she knows genomics.

Roughly 3,000 people may have been affected by the breach. They will receive notification as soon as the breach investigation is finished. Vitagene is presently attempting to find out if anyone accessed the information while it was available over the internet.

Chief Executive Officer Mehdi Maghsoodnia stated that Vitagene already updated its security protocols in 2018. A third party security company performed external and internal penetration testing throughout its application. The company acknowledged its mistake and accepted the responsibility for the issue.

Direct-to-consumer DNA testing services are not regarded as covered entities under HIPAA. Hence, they are not governed by its regulations. A lot of consumers don’t know that these types of services are not under the HIPAA and so their rights to data privacy are not protected in the same way.

There were calls for lawmakers to extend the coverage of HIPAA to include DNA testing services. A bipartisan group of senators already presented a bill that seeks to deal with the current security issues and helps to protect consumer privacy with respect to utilizing direct-to-consumer genetic testing services and health applications.

The Department of Health and Human Services’ Office for Civil Rights cannot do anything regarding the breach. However, the Federal Trade Commission (FTC) can issue a penalty while state attorneys general can take action in case there were state laws violated.