DNA service company exposes customers’ records online

DNA testing service Vitagene left thousands of client health reports exposed online for years.

More than 3,000 user files remained accessible to the public on Amazon Web Services cloud-computer servers until July 1, when Vitagene was notified of the issue and shut down external access to the sensitive personal information, according to documents obtained by Bloomberg.

The reports included customers’ full names alongside dates of birth and gene-based health information, such as their likelihood of developing certain medical conditions, a review of the documents showed.

Vitagene said that the files dated from when the company was in “beta” testing and represented a small fraction of its customer base.

“We immediately opened an investigation and blocked access to the files,” Chief Executive Officer Mehdi Maghsoodnia said in an email. “We updated our security protocols in 2018 and have engaged an outside security firm to run external and internal penetration testing across our application. As a team, we acknowledge our mistake and will keep ourselves accountable. We hope over time to prove that we are worthy of the trust that is given to us every day.”

Since 2014, closely held Vitagene has helped people craft diet and exercise plans that are molded to their biological traits, lifestyles and goals. The San Francisco-based company generates individualized reports of as many as 60 pages within four to six weeks of receiving DNA samples, then walks customers through health-risk factors and recommendations. Vitagene was co-founded by a doctor and a sales executive and says it intends to bring a genetic-based approach to wellness.

Advocates say consumers may not understand the data privacy policies of at-home genealogy services. For example, 23andMe shares information from its clients with one of its investors, drugmaker GlaxoSmithKline, to help develop new treatments and select patients for clinical trials. Law enforcement agencies have begun tapping DNA companies’ large databases to track down criminals, leading to last year’s capture of the Golden State Killer decades after the crimes. Companies also share DNA data to make a profit. None of those issues has slowed demand for direct-to-consumer genetic-testing kits. The market is expected to reach $2.5 billion of sales a year by 2024, according to Global Market Insights.

Vitagene customer records were created from 2015 to 2017. Some of the documents included clients’ contact information, such as some work email addresses, making it easier to confirm people’s identities.

The exposure was “extremely significant,” said James Hazel, a postdoctoral fellow at Vanderbilt University’s Center for Genetic Privacy and Identity in Community Settings.

“Past breaches have not involved genetic data or test reports,” Hazel said. “This is the first time I’ve heard that genetic data is implicated, which raises a host of privacy issues for the individuals.” Hazel, who has studied the privacy policies of at-home genealogy companies, said this was the type of information malicious actors could have used to try to blackmail individuals or sell to others.

dna-strand-92952591-foto.jpg

Still, for consumers, there can be little recourse in these kinds of data exposures. Companies that make DNA home-testing kits are exempt from U.S. regulations that safeguard patients’ medical records.

Vitagene openly stored 4,186 files within one collection on an AWS server, which included thousands of reports on clients. The company left 1,401 user files in a less-secure setting that can typically be accessed by a larger group of its employees than those authorized to view the information.

Vitagene emphasized that no credit card data, passwords or other sensitive financial information was exposed. The U.S. Federal Trade Commission in 2014 ruled that DNA testing company GeneLink must implement new security procedures after alleging the company didn’t safeguard customers’ Social Security and credit card numbers, amid a broader review of the company’s practices.

Vitagene had promised customers that it would protect their identities.

“Your results and DNA sample are stored without your name or any other common identifying information,” the company says on its website. “We believe that genetic information deserves the highest level of security. Therefore, your privacy is a top priority at Vitagene.”

Vitagene hasn’t yet notified clients about the exposure incident. The company says it would notify affected customers after sifting through all of the leaked files.

There were almost 300 files that contained people’s raw genotype DNA data in massive blocks of code accessible to public viewing, but understood only by someone familiar with the science of human genomes. Almost a third of that data was exposed with the user’s first name.

Hazel said the presence of that data was very concerning. “Even if raw data is not attached to a name or other personally identifiable information, there’s always a risk with genetic data that a person can be re-identified with that alone,” he said. Many websites allow people to upload genetic data to find relatives, he said.

Bloomberg News