On Friday, the FTC announced that was entering a consent decree with 1Health.io Inc., which also does business as Vitagene, Inc.  This is the fourth health-related FTC enforcement action announced this year (see here and here). 

In addition, it comes on the heels of Virginia, Montana, and, as recently as last week, Texas joining California, Utah, and Arizona in adopting legislation specifically regulating the privacy practices of direct-to-consumer genetic testing companies.  The recently adopted Montana law has a broader scope and narrower exceptions that raise questions about whether it will impede research, whereas the Texas law adopted last week is more similar to the other state models. 

In addition, broader consumer health data legislation has been passed this year in Washington, Nevada, and Connecticut.

The complaint against 1Health.io focused on the following factual allegations:

  • That 1Health.io stored genetic data and heath data for consumers in a publicly accessible cloud repository for a period of time.  According to the FTC, 1Health.io failed to use access controls to restrict access, encrypt the data, or log or monitor access to it;
  • That 1Health.io did not maintain a data inventory and thus could not search its repositories of data to honor consumer requests to delete their data; and
  • That the company lacked measures to ensure that consumers’ saliva samples were destroyed shortly after they were analyzed.  In particular, the FTC noted that the company did not contractually require the laboratory with which it was working to sequence samples to require destruction of the samples.

Based on these factual predicates, the FTC alleges that the company misrepresented to consumers: the strength of its security practices; that it would honor consumer deletion requests; and that it would destroy samples after the samples have been analyzed.

The FTC also alleged that revisions that the company made to its privacy policy in April and December 2020 constituted material retroactive changes that were unlawful since the company failed to first take adequate steps to notify consumers or obtain their consent.  The FTC relied on its unfairness authority to allege that this change was unlawful, alleging that this change was likely to cause substantial injury to consumers due to the potential for unauthorized access to health and genetic data to lead to discrimination or economic or reputational injuries.

The proposed consent order requires the company to adopt an information security program to strengthen protections for genetic information and to instruct third-party contract laboratories to destroy all DNA samples that have been retained for more than 180 days.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations. 

Chambers USA 2024 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Read more about Elizabeth BrimEmail
Show more Show less