– Direct-to-Consumer DNA-testing service vendor Vitagene inadvertently left the data of about 3,000 consumers exposed online for several years through a misconfigured database, according to a Bloomberg report.
The Vitagene platform is designed to help consumers create diet and exercise plans based on their lifestyles, biological traits, and personal goals, creating reports based on DNA samples.
On July 1, Vitagene was notified that one of its Amazon Web Services databases was exposing some of its consumer data. External access to the databasedwas shut off on the same day. The compromised data included users’ full names, dates of birth, and genetic health information, including the likelihood of developing certain medical conditions, the report found.
The database also contained documents with users’ contact details, like some email addresses. No credit card information, passwords, or other financial data was compromised. Another 300 files contained raw genetic DNA information, some of which was combined with the consumers’ names.
In total, about 1,401 user files were left stored with a “less-secure” setting, typically meant set up for access by employees. The vendor confirmed that the files were from its early beta-testing stages, which represented only a small amount of its current customer base.
“We updated our security protocols in 2018 and have engaged an outside security firm to run external and internal penetration testing across our application,” Vitagene CEO Mehdi Maghsoodnia told Bloomberg. “As a team we acknowledge our mistake and will keep ourselves accountable.”
“We hope over time to prove that we are worthy of the trust that is given to us every day,” he added.
Direct-to-consumer and other third-party health apps have been in the spotlight in recent months, stemming from a Facebook scandal that claimed its closed health groups exposed sensitive user information. Other reports have showed mental health and other apps may share user data without transparency.
Congress has been working to shore up patient privacy issues posed by these apps, given that they are not covered by HIPAA. In June, a bipartisan group of Senators proposed legislation focused on closing privacy gaps posed by direct-to-consumer genetic tests and other health apps.
AHIMA has also recommended the Department of Health and Human Services expand HIPAA to cover these apps.
While Vitagene is not covered by HIPAA and won’t face an Office for Civil Rights audit, there may be implications from state regulations.