We have published a series of posts over the years discussing certain data breach incidents. We do this as a service to our readers to keep them informed and aware of what “not-to-do”—i.e., learning from others’ mistakes along the way. This blog is the latest in the series and involves an enforcement action brought by the Federal Trade Commission (“FTC”) against a company named 1Health.io, formerly Vitagene (“1Health”).
Understanding the FTC’s Role in Data Security Enforcement
The FTC is a key agency responsible for protecting consumers from unfair or deceptive practices in the marketplace, including violations related to data security and privacy. While many associate the FTC with antitrust law, the agency has become an increasingly powerful force in the realm of data protection, particularly in ensuring that companies handle consumer data responsibly and securely. The agency’s focus on data security has only grown with the increase in both the volume of consumer data online and the instances of data breaches across various industries.
Who is 1Health?
1Health is a direct-to-consumer health and genetic testing company that provides users with personalized health insights based on their DNA. The company offers a range of services, including genetic testing for ancestry, wellness, and nutrition, as well as health reports that help individuals make more informed decisions about their lifestyle and diet. Given the nature of its business, 1Health handles highly sensitive data. Unfortunately, the company faced scrutiny after a data breach revealed its failures to safeguard this critical data properly.
FTC Enforcement Action
a. Promises Made
In its complaint, the FTC noted that 1Health’s website greeted visitors with reassuring promises about the security and privacy of the most sensitive data. In fact, the company’s homepage prominently displayed a bold claim: “Your DNA and health details are personal and private. We make your privacy our priority.” These words are accompanied by an image of a large padlock over a strand of DNA to emphasize the importance of securing the data. Everything aligns with what one would expect from a company handling such sensitive data.
If you dig a little deeper, the company continued to assure visitors that their health data would be protected with industry-standard security practices. 1Health proudly proclaimed that they “design innovative ways to protect your data” and that “your privacy is our top priority.” Additional promises about “rock-solid security” and “latest technology” are scattered throughout, further assuring consumers that their information was in safe hands. 1Health even assured users that “[w]e do not sell your data to any third party,” and that users can delete their data at any time.
a. Promises Broken
It all sounds perfect, right? But, as you probably know by now, the FTC’s investigation uncovered a different story—one where 1Health failed to live up to its public commitments which left consumer data vulnerable.
Most concerning to the FTC was that 1Health’s promises of strong data security weren’t backed by appropriate security measures. The FTC’s investigation revealed that 1Health stored nearly 2,400 health reports and genetic data from at least 227 consumers in unprotected publicly accessible “buckets” on Amazon Web Services’ cloud storage—leaving the door wide open for anyone to walk in and access this sensitive information.
1Health did not encrypt sensitive genetic data when it was being transferred or stored, and encryption is a basic and essential data security safeguard. On top of that, there were no controls in place to restrict access to this information, no logs or monitoring of who accessed it, and no inventory or checks to ensure its security. It was as if the company had left its most precious data in a public locker with the key in plain sight—unprotected and vulnerable.
1Health also failed to live up to its promise of safeguarding data by allowing third-party laboratories to retain consumer DNA samples for longer than necessary—up to 180 days—without properly securing the data. This violation of consumer trust exposed sensitive genetic information to potential risks.
Then, there’s the matter of 1Health’s privacy policy. The company’s site boldly stated that users could “delete your data at any time.” But according to the FTC, not only did 1Health fail to honor this promise, but it also retroactively changed its privacy policy without notifying users or obtaining their consent, which effectively immunized 1Health for the misuse of consumer data that had already been collected under different terms.
So, while 1Health’s promises painted a picture of security and trust, the reality was a stark contrast.
c. The Remedy for Broken Promises
In September 2024, 1Health reached a settlement with the FTC. The FTC didn’t let 1Helath off the hook. It established clear, specific steps that 1Health was required to take to make things right.
First, the company had to pay for its mistakes to the tune of $75,000 in consumer refunds for those who were impacted by the security lapse. This was a tangible reminder that there are real consequences when a company fails to protect consumer data.
But paying for mistakes wasn’t enough. The FTC also demanded that 1Health take real, actionable steps to correct its security lapses and make sure such a breach wouldn’t happen again. The company was required to strengthen its data protection protocols—something they had promised to do. This meant making significant changes to their security practices, including improving encryption methods, limiting access to sensitive data, and implementing monitoring and logging systems. 1Health had to demonstrate to the FTC that they were serious about changing their ways and protecting consumer privacy.
In addition, 1Health was forced to require third-party laboratories to destroy consumer DNA samples that had been kept for more than 180 days. This action was crucial in making sure that consumers’ genetic information wasn’t lingering in unsecured environments where it could be accessed, misused, or mishandled.
Finally, the FTC required 1Health to implement periodic risk assessments. This was described as one of the key components of the corrective actions. These assessments are crucial for identifying potential security vulnerabilities and addressing them before they can be exploited.
The FTC’s resolution was about restoring consumer confidence. By imposing these strict requirements, the FTC made it clear that when companies break their promises, they need to take responsibility and demonstrate that they’ve learned from their mistakes.
How TDXchange Can Help Prevent This Type of Breach
At bTrade, we understand how critical it is to safeguard sensitive data, especially when it comes to personal and genetic information. Our enterprise managed file transfer solution, TDXchange, provides the robust security features needed to avoid incidents like the one at 1Health.
- Encryption at Every Step: TDXchange uses advanced encryption protocols to protect data both in transit and at rest. This ensures that even if sensitive data, like genetic information, is transferred between systems or locations, it remains secure and inaccessible to unauthorized parties.
- Role-Based Access Controls (RBAC): TDXchange implements RBAC to ensure that only authorized personnel have access to sensitive data. This minimizes the risk of internal breaches and ensures that user data is handled only by those with the appropriate permissions.
- Comprehensive Audit Logs: With TDXchange, organizations have access to detailed audit logs which track every action taken on data—e.g., who accessed it, when, and why. This not only supports regulatory compliance but also provides full visibility into how sensitive data is handled, thereby preventing unauthorized changes to policies or access.
- Data Policy Enforcement: TDXchange allows organizations to set and enforce file retention, deletion, and transfer policies, ensuring that sensitive data is only accessible and stored in accordance with legal and regulatory standards. This helps ensure compliance and protects data from being exposed or misused, just like the oversight that led to 1Health breach.
- Periodic Risk Assessments: To comply with the FTC’s enforcement order, 1Health could take advantage of bTrade’s comprehensive assessment services. These assessments are crucial for evaluating the effectiveness of data security practices regularly, which would help ensure that MFT systems remain secure and that any gaps in security are addressed proactively.
Conclusion
The 1Health case is a powerful reminder of the risks organizations face when they fail to protect sensitive information. TDXchange is designed to help organizations avoid these types of breaches by providing advanced security measures, comprehensive access controls, and full visibility into data handling practices.
If you’d like to learn more about how TDXchange can help you safeguard sensitive data, contact us today at info@btrade.com.