DNA testing service Vitagene Inc. left thousands of client health reports exposed online for years, the kind of incident that privacy advocates have warned about as gene testing has become increasingly popular.
More than 3,000 user files remained accessible to the public on Amazon Web Services cloud computer servers until July 1, when Vitagene was notified of the issue and shut down external access to the sensitive personal information, according to documents obtained by Bloomberg. The genealogy reports included customers’ full names alongside dates of birth and gene-based health information, such as their likelihood of developing certain medical conditions, a review of the documents showed.
Vitagene said that the files dated from when the company was in beta testing and represented a small fraction of its customer base.
“We immediately opened an investigation and blocked access to the files,” Chief Executive Mehdi Maghsoodnia said in an email. “We updated our security protocols in 2018 and have engaged an outside security firm to run external and internal penetration testing across our application. As a team we acknowledge our mistake and will keep ourselves accountable. We hope over time to prove that we are worthy of the trust that is given to us every day.”
Since 2014, closely held Vitagene has helped people craft diet and exercise plans that are molded to their biological traits, lifestyles and goals. The San Francisco company generates individualized reports of as many as 60 pages within four to six weeks of receiving DNA samples, then walks customers through health-risk factors and recommendations. Vitagene was co-founded by a doctor and a sales executive and says it intends to bring a genetic-based approach to wellness.
Advocates say consumers may not understand the data privacy policies of at-home genealogy services. For example, 23andMe Inc. shares information from its clients with one of its investors, drugmaker GlaxoSmithKline, to help develop new treatments and select patients for clinical trials. Law enforcement agencies have begun tapping DNA companies’ large databases to track down criminals, leading to last year’s arrest of the suspected Golden State Killer decades after the crimes.
None of those issues has derailed demand for direct-to-consumer genetic testing kits. The market is expected to reach $2.5 billion in sales annually by 2024, according to Global Market Insights Inc.
Vitagene customer records were created from 2015 to 2017. Some of the documents included clients’ contact information, such as some work email addresses, making it easier to confirm people’s identities.
The exposure was “extremely significant,” said James Hazel, a postdoctoral fellow at Vanderbilt University’s Center for Genetic Privacy and Identity in Community Settings.
“Past breaches have not involved genetic data or test reports,” Hazel said. “This is the first time I’ve heard that genetic data is implicated, which raises a host of privacy issues for the individuals.” Hazel, who has studied the privacy policies of at-home genealogy companies, said this was the type of information malicious actors could have used to try to blackmail individuals or sell to others.
Still, for consumers, there can be little recourse in these kinds of data exposures. Companies that make DNA home-testing kits are exempt from U.S. regulations that safeguard patients’ medical records.
Vitagene openly stored 4,186 files within one collection on an Amazon Web Services server, which included thousands of reports on clients. The company left 1,401 user files in a less-secure setting that can typically be accessed by a larger group of its employees than those authorized to view the information.
Vitagene emphasized that no credit card data, passwords or other sensitive financial information were exposed.
The Federal Trade Commission ruled in 2014 that DNA testing company GeneLink Inc. must implement new security procedures after alleging the company didn’t safeguard customers’ Social Security and credit card numbers, amid a broader review of the company’s practices.
Vitagene had promised customers that it would protect their identities.
“Your results and DNA sample are stored without your name or any other common identifying information,” the company says on its website. “We believe that genetic information deserves the highest level of security. Therefore, your privacy is a top priority at Vitagene.”
Vitagene hasn’t yet notified clients about the exposure. Customer Julie Chaiken said she first heard that her data were left unsecured when Bloomberg contacted her.
“I hope the company is going to reach out to me and let me know how extensive this breach is and how many people have looked at these files,” Chaiken said. “I hope they get their act together and respect people’s information just like any healthcare provider or financial services company we expose our data to.”
Vitagene said it would notify affected customers after sifting through all the exposed files.
There were almost 300 files that contained people’s raw genotype DNA data in massive blocks of code accessible to public viewing but understood only by someone familiar with the science of the human genome. Almost a third of those data were exposed with the user’s first name.
Hazel said the presence of those data was very concerning.
“Even if raw data is not attached to a name or other personally identifiable information, there’s always a risk with genetic data that a person can be reidentified with that alone,” he said. Many websites enable people to upload genetic data to find relatives, he said.