The FTC reached a settlement with 1Health.io over allegations that it left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.

COMMISSIONERS: Lina M. Khan, Chair; Rebecca Kelly Slaughter; Alvaro M. Bedoya

In the Matter of 1HEALTH.IO INC., a corporation, also d/b/a VITAGENE, INC.

DOCKET NO. C-4798

COMPLAINT

The Federal Trade Commission (“FTC”), having reason to believe that 1Health.io Inc., also doing business as Vitagene, Inc. and Vitagene, a corporation (“Respondent”), has violated the provisions of the Federal Trade Commission Act, and it appearing to the Commission that this proceeding is in the public interest, alleges:

• Respondent 1Health.io Inc., also doing business as Vitagene, Inc. and Vitagene (“1Health.io” or “Vitagene”), is a Delaware corporation with its principal office or place of business at 201 Spear Street, Suite 1100, San Francisco, California 94105. Respondent changed its name from Vitagene, Inc. to 1Health.io Inc. in October 2020.

• Respondent has developed, advertised, offered for sale, sold, and distributed products to consumers, including DNA test kits, through its websites, https://1health.io and https://vitagene.com (“Vitagene Website”), and other outlets, such as www.amazon.com.

• The acts and practices of Respondent alleged in this complaint have been in or affecting commerce, as “commerce” is defined in Section 4 of the Federal Trade Commission Act.

RESPONDENT’S DNA HEALTH TEST KITS AND RELATED PRODUCTS

• Since 2015, Respondent has sold Vitagene-branded “DNA Health Test Kits” to consumers. In each DNA Health Test Kit, Respondent instructs the consumer to provide a saliva sample by mail. Respondent contracts with a testing lab to analyze the sample and map a portion of the consumer’s genetic code.

• Respondent combines the lab’s DNA analysis with the consumer’s answers to an online “health questionnaire” that probes the individual’s health history, lifestyle, and family health history. Using this information, Respondent generates reports about the consumer’s health and wellness (“Health Reports”) and ancestry.

• Respondent also sells to consumers Health Reports that Respondent creates by using consumers’ answers to an online “lifestyle questionnaire” and raw DNA data that consumers send to Respondent after the consumers have obtained DNA tests from certain companies other than Respondent.

• In addition to DNA Health Test Kits, Health Reports, and ancestry reports, Respondent’s products include nutritional, fitness, and beauty plans and nutritional supplements customized to each consumer’s unique DNA.

• The retail cost for a single DNA Health Test Kit, Health Report, and ancestry report ranges from $29 to $259, with high-end kits including add-ons, such as subscriptions to personalized vitamin packs and nutritional coaching.

• The Health Reports that Respondent creates contain numerous facts about the consumer’s genetics and health. For example, one type of Health Report first lists the consumer’s name, date of birth, and referring doctor or dietician, and then identifies salient genotype data, pertinent questionnaire answers, and, based on the genotype data and questionnaire answers, the level of risk for having or developing certain health conditions, such as high LDL cholesterol, high triglycerides, obesity, or blood clots.

RESPONDENT’S DECEPTIVE PRIVACY AND SECURITY PROMISES

• Since at least 2018, Respondent has made numerous, prominent claims about the privacy and security of the sensitive health and genetic information it collects and maintains.

• For example, the Vitagene Website’s home page, https://vitagene.com, devotes a section to “DNA Testing Privacy” that prominently features an image of a large padlock over a strand of DNA and asserts: “Your DNA and health details are personal and private. We make your privacy our priority.”

• As shown above, the Vitagene Website home page includes a button that consumers can click to “Learn more” about Respondent’s “DNA Testing Privacy.” That button provides a link to a webpage on the Vitagene Website that Respondent devotes to describing Respondent’s privacy practices, https://vitagene.com/privacy/. Like the Vitagene Website home page, the website’s privacy webpage prominently features images of padlocks, with the large-type, bold-faced heading: “The most personal information must also be the most private.” (Emphasis in original). Under that heading, Respondent asserts: “[W]e design innovative ways to protect your data and build powerful safeguards into our platform to ensure the safety of your personal information. As your lifelong partner on your health journey, your privacy is our top priority.” (Emphasis in original).

• On the Vitagene Website privacy webpage, under the bold-faced heading, “Experience personalization without sacrificing privacy,” Respondent features an image of a padlock with the sub-heading “Rock-solid Security.” (Emphasis omitted). Accompanying this image and sub-heading is the statement: “We use the latest technology and exceed industry-standard security practices to protect your privacy.”

• Also on the Vitagene Website privacy webpage, Respondent gives its consumers additional assurances of its careful privacy and security practices. For example, Respondent asserts, in bold-faced type: “Vitagene collects, processes, and stores your personal information in a responsible, transparent and secure environment that fosters our customers’ trust and confidence.” At the bottom of this webpage, Respondent further represents in bold typeface: “Your health information is yours, and yours only. Your trust means a great deal to us, and drives our continued commitment to protecting your privacy.”

• Respondent reiterates these claims about its commitment to privacy and security throughout the Vitagene Website. For example, on a webpage titled “How It Works,” https://vitagene.com/how-it-works/, Respondent represents: “We believe that genetic information deserves the highest level of security. Therefore, your privacy is a top priority at Vitagene.”
  

RESPONDENT’S DECEPTIVE PROMISES TO SEPARATE DNA FROM OTHER IDENTIFYING INFORMATION

• Since at least 2018, Respondent has described a specific manner in which it protects the privacy and security of consumers’ information: separating DNA from any other identifying information. Specifically, on the Vitagene Website "How It Works" webpage, Respondent provides a list of "[t]hree of the ways we protect your privacy," which includes the claim that "Your results and DNA sample are stored without your name or any other common identifying information."

• Respondent prominently repeats this claim about separation of DNA and other identifying information elsewhere on the Vitagene Website. On a webpage devoted to answering “Frequently Asked Questions,” https://vitagene.com/frequently-asked-questions/, as shown below, Respondent answers the questions, “Is my data protected?” and “How is my privacy protected?”, by asserting (in part): “Your results and DNA [“sample” or “files”] are stored without any identifying information....”
  
  

RESPONDENT’S DECEPTIVE PROMISE TO DELETE ALL DATA UPON CONSUMER REQUEST

• Since at least 2018, Respondent has promised that consumers can readily delete all of their information. On the Vitagene Website privacy webpage, under the sub-heading “You’re in control of your data,” Respondent has represented: “You can delete your data at any time. This will remove your information from all of our servers.”

RESPONDENT’S DECEPTIVE PROMISE TO DESTROY DNA SALIVA SAMPLES

• Since at least 2018, Respondent has promised on multiple webpages that it destroys the physical DNA samples it collects from consumers after the samples have been analyzed. Specifically, on the Vitagene Website “How It Works” webpage, Respondent has represented: “Vitagene destroys your physical DNA saliva sample after it has been analyzed.” Respondent repeats this claim on the Vitagene Website “Frequently Asked Questions” webpage, in response to the question: “Is my data protected?” (“your physical sample is destroyed after it is processed”).
  
• Beginning in approximately December 2016, Respondent lacked measures to ensure that consumers’ saliva samples were destroyed shortly after they had been analyzed. In particular, Respondent did not have a contract provision with its genotyping laboratory partner requiring such destruction.

RESPONDENT’S PRIVACY POLICY REVISIONS REGARDING MORE EXPANSIVE SHARING OF CONSUMERS’ SENSITIVE PERSONAL INFORMATION WITH THIRD PARTIES

• From at least 2017 until April 2020, Respondent’s privacy policy defined "personal information" to include "Enrollment Information, Family History, Lab work, Health Goals, Medical History, Genetic Data, and Enrollment Form." The privacy policy also stated: "A large portion of the Personal Information we collect, use, share, and store is sensitive in nature, including any and all medical information for example Genetic Data & Other Personal Information."

• Consistent with Respondent’s numerous prominent claims about maintaining privacy and security for the sensitive health and genetic information Respondent collects from consumers, from at least 2017 until April 2020, Respondent’s privacy policy stated that Respondent would share consumers’ personal information with third parties only in limited circumstances for narrow purposes. Specifically, the privacy policy stated that Respondent would share consumers’ personal information with their physicians or other medical professionals under consumers’ direction; with Respondent’s business partners or service providers, such as credit card processors or contracted genotyping laboratories, "only as necessary to" help Respondent provide, understand, or improve its services; as required by law; with any third party with a consumer’s prior consent; or via transfer of Respondent’s business to another entity. During part of that time period, Respondent’s privacy policy also stated that Respondent would share consumers’ personal information with business partners, affiliates, sponsors, or other third parties in an aggregate, non-personally identifiable form.

• From at least 2017 to April 2020, Respondent’s privacy policy also stated: "We reserve the right to update, change, modify or otherwise alter this Privacy Policy at any time. If any material changes are made to this Privacy Policy, Vitagene will notify you by posting the revised Privacy Policy on the Services or notifying you through the Services. ANY ACCESS OR USE OF THE SERVICES BY YOU AFTER THE CHANGES GO INTO EFFECT SHALL CONSTITUTE AND BE DEEMED YOUR AGREEMENT TO THIS PRIVACY POLICY."

• In April and December 2020, Respondent published revised privacy policies (collectively, “Respondent’s 2020 privacy policies”) that apply to all of Respondent’s customers, including those who purchased products and services from Respondent solely before April 2020. Compared to Respondent’s previous privacy policy, Respondent’s 2020 privacy policies significantly expand the types of third parties with whom, and the purposes for which, Respondent may share consumers’ personal information. For example, Respondent’s 2020 privacy policies state that Respondent shares personal information with third parties such as pharmacies, supermarket chains, nutrition and supplement manufacturers, and other providers and retailers so they can promote and offer their products and services to Respondent’s customers; with third parties for their own services and marketing purposes unless a customer opts out of such sharing; and with partners, third parties, or affiliates, including for those third parties’ own purposes. Respondent’s December 2020 version of its privacy policy currently remains in effect.

• When Respondent posted the 2020 privacy policies, Respondent did not take any additional steps to notify consumers who had provided sensitive personal information to Respondent prior to the 2020 privacy policy changes or to obtain consumers’ consent for the material changes to its policies with respect to the sharing of such information, including sharing that Respondent’s previously posted privacy policy had stated would take place only with the consumer’s consent.

• Although Respondent has not yet implemented the broader information sharing practices stated in its 2020 privacy policies, it could do so at any time without further notice to consumers.

RESPONDENT’S PUBLIC EXPOSURE OF CONSUMERS’ HEALTH AND GENETIC INFORMATION

• As part of its information technology infrastructure, Respondent uses Amazon Web Services’ (“AWS’s”) Simple Storage Service (the “Amazon S3 Datastore”). The Amazon S3 Datastore is a scalable cloud storage service that entities use to store and retrieve data in virtual containers, called “Buckets.”

• Respondent stores a variety of files containing sensitive health and genetic information in Amazon S3 Datastore Buckets. These files include, among other things, consumers’ Health Reports; genotype data called single-nucleotide polymorphisms (“SNPs”), which are the most common type of genetic variation among people; and other raw genotype data.

• Despite the fact that Respondent stores consumers’ sensitive personal information in the Amazon S3 Datastore, Respondent did not uniformly apply basic safeguards to the data in each of its Amazon S3 Datastore Buckets. In or about 2016, Respondent created a publicly accessible Bucket in which Respondent stored Health Reports for at least 2,383 consumers and a publicly accessible Bucket in which Respondent stored raw genetic data (sometimes accompanied by first name) for at least 227 consumers (“Health and Genetic Buckets”). Respondent did not use any access controls to restrict access to this sensitive data, encrypt it, log or monitor access to it, or inventory it to help ensure ongoing security. As a result of Respondent’s disregard for the basic security of the Health and Genetic Buckets, Respondent publicly exposed online the health and genetic information of more than 2,600 consumers.

• Between July 2017 and June 2019, Respondent received at least three warnings that it was storing consumers’ unencrypted health, genetic, and other personal information in publicly accessible Buckets.

• Respondent received its first warning in July 2017. At that time, AWS sent Respondent an email message, with the subject line “Securing Amazon S3 Buckets,” “to remind [Respondent] that one or more of [its] Amazon S3 bucket access control lists (ACLs) [was] currently configured to allow read access from any user on the Internet.” The message included a list of six of Respondent’s Buckets that were “configured to allow read access from anyone on the Internet,” including the Health and Genetic Buckets. The message encouraged Respondent to promptly review its Buckets and provided a link to the AWS Management Console where Respondent could have quickly reviewed its Bucket access controls and a link to guidance about how to restrict Bucket access. Despite this warning, Respondent did not restrict access to the Health and Genetic Buckets.

• Respondent received its second warning in November 2018, when a security testing company that conducted a web application penetration test for Respondent “found that uploaded DNA data was being stored in Amazon S3 . . . without any access controls.” Despite this warning, Respondent did not restrict access to the Health and Genetic Buckets.

• In June 2019, Respondent received its third warning. On June 27, 2019, a security researcher emailed Respondent’s support inbox regarding a security issue with Respondent’s web application. On July 1, 2019, the security researcher sent Respondent an email with publicly accessible links to Health Reports and files in the Health and Genetic Buckets. The security researcher stated that he had “been able to confirm via the details” that the publicly exposed files pertained to “real individuals and real doctors” and that they were not “testing or ‘made up’ records.” The security researcher later reported his findings to the news media, which published articles about this breach of security in July 2019.

• In July 2019, Respondent began an investigation into the public exposure of the Health and Genetic Buckets. Because Respondent had not taken steps to log access to the Health and Genetic Buckets, Respondent was unable to determine exactly when the Buckets had been created or whether anyone other than the security researcher had accessed, downloaded, or transferred any of the sensitive health, genetic, and personal information they contained.

• In August 2019, Respondent notified affected consumers about the breach. Numerous consumers complained to Respondent about its failure to safeguard their sensitive information. For example, one consumer wrote to Respondent: “I am horrified that my DNA is out there for anyone to use.” Another wrote: “This is worse than credit card and financial info because it’s related to my health.” A third simply said: “Shame on Vitagene for not having its consumers in their best interest.”

• Because Respondent did not maintain a data inventory, from approximately 2016 through July 1, 2019, Respondent could not search the Health and Genetic Buckets in response to consumers’ requests for Respondent to delete their data.

Count I: Security Misrepresentation – Exceeding Industry Standards

• As described in Paragraph 12, Respondent represented, directly or indirectly, expressly or by implication, that it exceeded industry-standard security practices to protect the privacy of consumers’ sensitive personal information, including their health and genetic information.
• In fact, as set forth in Paragraphs 26-35, Respondent’s security practices did not exceed industry-standard security practices to protect the privacy of consumers’ sensitive personal information. Therefore, the representations set forth in Paragraph 12 are false or misleading.

Count II: Security Misrepresentation – Storing DNA Results without Identifying Information

• As described in Paragraphs 15-16, Respondent represented, directly or indirectly, expressly or by implication, that it stored consumers’ DNA results without name or any other common identifying information.
• In fact, as set forth in Paragraphs 9 and 28, Respondent stored DNA results with name and other common identifying information. Therefore, the representations set forth in Paragraphs 15-16 are false or misleading.

Count III: Privacy Misrepresentation – Data Deletion

• As described in Paragraph 17, Respondent represented, directly or indirectly, expressly or by implication, that if a consumer requested deletion of their data, Respondent would remove all of that consumer’s information.
• In fact, as set forth in Paragraph 35, because Respondent did not have an inventory of consumers’ information, including in the Health and Genetic Buckets it exposed publicly, in at least some instances, Respondent could not delete all consumer information for consumers who requested deletion of their data. Therefore, the representations set forth in Paragraph 17 are false or misleading.

Count IV: Privacy Misrepresentation – Saliva Sample Destruction

• As described in Paragraph 18, Respondent represented, directly or indirectly, expressly or by implication, that it destroys the consumer’s physical DNA saliva sample shortly after the sample has been analyzed.
• In fact, as set forth in Paragraph 19, beginning in approximately December 2016, Respondent did not have measures in place to ensure that consumers’ saliva samples were destroyed shortly after they had been analyzed. In particular, Respondent did not have a contract provision with its genotyping laboratory partner requiring such destruction. Therefore, the representations set forth in Paragraph 18 are false or misleading.

Count V: Unfair Adoption of Material Retroactive Privacy Policy Changes Regarding Sharing of Consumers’ Sensitive Personal Information with Third Parties

• As described in Paragraphs 20-25, in April and December 2020, Respondent posted revised privacy policies containing material changes to Respondent’s practices for sharing consumers’ sensitive personal information with third parties, including the health and genetic information of consumers who purchased products and services from Respondent solely before April 2020. Respondent made those material retroactive changes without taking any additional steps to notify consumers or obtain consumers’ consent even though Respondent’s numerous prominent privacy and security claims when it had collected consumers' sensitive personal information, as described in Paragraphs 10-16, demonstrate Respondent's understanding that consumers consider it important to be able to control and limit access to such information.
• Unauthorized access to a consumer's sensitive health and genetic information can lead to a variety of harms, including discrimination or economic or reputational injury. Accordingly, Respondent's retroactive application of its revised privacy policies caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers. This is an unfair act or practice.

VIOLATIONS OF SECTION 5 OF THE FTC ACT

• The acts and practices of Respondent as alleged in this complaint constitute unfair or deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act.

THEREFORE, the Federal Trade Commission this 6th day of September, 2023, has issued this Complaint against Respondent.

By the Commission.

April J. Tabor
Secretary

DECISION AND ORDER

DECISION

The Federal Trade Commission (“Commission”) initiated an investigation of certain acts and practices of the Respondent named in the caption. The Commission’s Bureau of Consumer Protection (“BCP”) prepared and furnished to Respondent a draft Complaint. BCP proposed to present the draft Complaint to the Commission for its consideration. If issued by the Commission, the draft Complaint would charge the Respondent with violations of the Federal Trade Commission Act.

Respondent and BCP thereafter executed an Agreement Containing Consent Order (“Consent Agreement”). The Consent Agreement includes:

• Statements by Respondent that it neither admits nor denies any of the allegations in the Complaint, except as specifically stated in this Decision and Order, and that only for purposes of this action, it admits the facts necessary to establish jurisdiction.
• Waivers and other provisions as required by the Commission’s Rules.

The Commission considered the matter and determined that it had reason to believe that Respondent has violated the Federal Trade Commission Act, and that a Complaint should issue stating its charges in that respect. The Commission accepted the executed Consent Agreement and placed it on the public record for a period of thirty (30) days for the receipt and consideration of public comments. The Commission duly considered any comments received from interested persons pursuant to Section 2.34 of its Rules, 16 C.F.R. § 2.34.

Now, in further conformity with the procedure prescribed in Rule 2.34, the Commission issues its Complaint, makes the following Findings, and issues the following Order:

Findings

• The Respondent is 1Health.io Inc., also d/b/a Vitagene, Inc. and Vitagene (“Vitagene”), a Delaware corporation with its principal office or place of business at 201 Spear Street, Suite 1100, San Francisco, California 94105. Respondent changed its name from Vitagene, Inc. to 1Health.io Inc. in October 2020.

• The Commission has jurisdiction over the subject matter of this proceeding and over the Respondent, and the proceeding is in the public interest.

ORDER

Definitions

For purposes of this Order, the following definitions apply:

• "Affirmative Express Consent" means any freely given, specific, informed, and unambiguous indication of an individual consumer’s wishes demonstrating agreement by the individual, such as by a clear affirmative action, following a Clear and Conspicuous disclosure to the individual of:

  • each category of Personal Information that Respondent will disclose to third parties;
  • the specific purpose(s) for the disclosures of each category of Personal Information;
  • each category of third party to which such disclosures will be made;
  • a simple, easily-located means for the consumer to withdraw consent;
  • any limitations on the consumer’s ability to withdraw consent; and
  • all other information material to the provision of consent.

  The Clear and Conspicuous disclosure must be separate from any “privacy policy,” “terms of service,” “terms of use,” “consent for research,” or other similar document.

  The following do not constitute Affirmative Express Consent:

  • inferring consent from the hovering over, muting, pausing, or closing of a given piece of content by the consumer; or
  • obtaining consent through a user interface that has the substantial effect of subverting or impairing user autonomy, decision-making, or choice.

• "Clear and Conspicuous" means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways:

  • In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented. In any communication made through both visual and audible means, such as a television advertisement, the disclosure must be presented simultaneously in both the visual and audible portions of the communication even if the representation requiring the disclosure (“triggering representation”) is made through only one means.
  • A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
  • An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
  • In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be unavoidable.
  • The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the triggering representation appears.
  • The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications.
  • The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication.
  • When the representation or sales practice targets a specific audience, such as children, the elderly, or the terminally ill, “ordinary consumers” includes reasonable members of that group.

• "Covered Customer" means any customer identified by Respondent as having had potentially exposed as of July 1, 2019, his or her Health Information that Respondent stored in the Amazon Web Services Simple Storage Service Datastore.

• "Covered Incident" means any incident:

  • that results in Respondent notifying, pursuant to a statutory or regulatory requirement, any U.S. federal, state, or local government entity that information of or about an individual consumer was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization; or
  • in which Health Information of or about an individual consumer was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization.

• "Covered Service Provider" means a person or entity that:

  • uses or receives Health Information collected by or on behalf of Respondent for and at the direction of Respondent and no other individual or entity;
  • does not disclose the Health Information, or any individually identifiable information derived from it, to an individual or entity other than Respondent; and
  • does not use the Health Information for any purpose other than performing the services specified in the Covered Service Provider’s contract with Respondent.

  Covered Service Provider includes any subcontractor to such Covered Service Provider bound by contract to data processing terms no less restrictive than the terms to which the Covered Service Provider is bound.

• "Health Information" means individually identifiable information relating to the health or genetics of an individual, including information:

  • concerning the propensity of that individual to develop a health condition;
  • concerning an analysis of the individual’s DNA, RNA, chromosomes, proteins, or metabolites, in whole or in part; or
  • relating to the past, present, or future physical or mental health or conditions of an individual or the provision of health care to an individual.

• "Personal Information" means information from or about an individual consumer, including:

  • a first and last name;
  • a physical address;
  • an email address or other online contact information, such as a user identifier or a screen name;
  • a telephone number;
  • a financial account number;
  • credit or debit card information;
  • a persistent identifier, such as a customer number held in a “cookie,” a static Internet Protocol (“IP”) address, a mobile device ID, or processor serial number; or
  • Health Information.

• "Respondent" means 1Health.io Inc., also d/b/a Vitagene, Inc. and Vitagene, a corporation, and its successors and assigns.

• "Third Party" means any individual or entity other than:

  • a payment processor, laboratory, insurance company, insurance verification provider, hospital, or healthcare provider that Respondent has contractually obligated to limit the use and retention of Health Information to that which is directed by the individual who is identifiable by the Health Information;
  • an individual or entity to which Respondent discloses Health Information consistent with the Health Information Portability and Accountability Act (“HIPAA”) of 1996, Pub. L. 104-191, 110 Stat. 1936, to the extent that HIPAA applies to the Health Information;
  • a Covered Service Provider;
  • an individual or entity to which Respondent discloses Health Information at the written direction of a customer who has obtained consent for that disclosure from the individual who is identifiable by the Health Information; or
  • an entity that purchases assets that include Health Information collected by Respondent, provided, however, that Health Information is not sold to the purchasing entity as a stand-alone asset, Respondent does not sell any Health Information to more than one purchasing entity, and the purchasing entity agrees by contract with the selling entity to be bound by:
    • Respondent’s privacy policy in effect when such Health Information was collected and agrees to obtain Affirmative Express Consent of the individual who is identifiable by the Health Information before applying to the Health Information any policies or practices that are material changes from such privacy policy; and
    • the requirements set forth in Provision II of this Order, including the exclusions set forth within this definition.

Provisions

I. Prohibition against Misrepresentations

IT IS ORDERED that Respondent; Respondent’s officers, agents, and employees; and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with any product or service, must not misrepresent in any manner, expressly or by implication:

• The extent to which Respondent meets or exceeds industry-standard security or privacy practices;
• The extent to which Respondent stores any Health Information with any other element of Personal Information;
• The extent to which, or the purposes for which, Respondent collects, uses, discloses, maintains, deletes, or destroys a consumer’s:
  • physical DNA sample or
  • Personal Information upon request;
• The extent to which Respondent is a member of, adheres to, complies with, is certified by, or otherwise participates in any privacy or security program sponsored by a government entity or any third party, including any self-regulatory or standard-setting organization;
• The extent to which Respondent otherwise protects the privacy, security, availability, confidentiality, or integrity of Personal Information; or
• The extent to which Respondent has received approval or authorization for its claims, products, or services from any government agency.

II. Affirmative Express Consent for Disclosure of Health Information to Third Parties

IT IS FURTHER ORDERED that Respondent; Respondent’s officers, agents, and employees; and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, shall not, unless required by law, disclose to any Third Party any Health Information unless Respondent obtains the Affirmative Express Consent of the individual who is identifiable by the Health Information.

III. Destruction of Saliva Samples

IT IS FURTHER ORDERED that, on or before thirty (30) days after the issuance of this Order, Respondent and Respondent’s officers, agents, and employees must:

• Instruct any laboratory that collected physical DNA saliva samples pursuant to a contract with Respondent to destroy any such sample that the laboratory has retained for more than 180 days after Respondent accepted the results of the laboratory’s analysis of the sample; and
• Provide a written statement to the Commission, sworn under penalty of perjury, confirming that Respondent has given such instructions, and append to that statement true and correct copies of any such written instructions.

IV. Mandated Information Security Program

IT IS FURTHER ORDERED that Respondent, and any business that Respondent controls directly, or indirectly, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Personal Information, must, within sixty (60) days of issuance of this order, establish and implement, and thereafter maintain, a comprehensive information security program (“Information Security Program”) that protects the security, confidentiality, and integrity of such Personal Information. To satisfy this requirement, Respondent must, at a minimum:

• Document in writing the content, implementation, and maintenance of the Information Security Program;
• Provide the written program and any evaluations thereof or updates thereto to Respondent’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondent responsible for Respondent’s Information Security Program at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident;
• Designate a qualified employee or employees to coordinate and be responsible for the Information Security Program;
• Assess and document, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, internal and external risks to the security, confidentiality, or integrity of Personal Information that could result in the:
  • unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Personal Information; or
  • misuse, loss, theft, alteration, destruction, or other compromise of Personal Information;
• Design, implement, maintain, and document safeguards that control for the internal and external risks Respondent identifies to the security, confidentiality, or integrity of Personal Information identified in response to the risk assessment. Each safeguard must be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be realized and result in:
  • unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Personal Information; or
  • misuse, loss, theft, alteration, destruction, or other compromise of Personal Information.
  Such safeguards must also include:
  • Policies, procedures, and technical measures to systematically inventory Personal Information in Respondent’s control;
  • Policies, procedures, and technical measures to log and monitor access to repositories of Personal Information in Respondent’s control;
  • Data access controls for all repositories of Personal Information in Respondent’s control, such as:
    • restricting inbound connections to approved IP addresses, and
    • requiring authentication to access them;
  • Encryption, or at least equivalent protection, of all Health Information in Respondent’s control that is reasonably linkable to an individual consumer, computer, or device, including in transit and at rest. If Respondent uses equivalent protection rather than encryption, it must be reviewed and approved by the qualified employee(s) responsible for the Information Security Program;
• Assess, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the security, confidentiality, or integrity of Personal Information, and modify the Information Security Program based on the results;
• Test and monitor the effectiveness of the safeguards at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, and modify the Information Security Program based on the results. Testing and monitoring must include:
  • vulnerability testing of Respondent’s network(s) once every four (4) months and promptly (not to exceed thirty (30) days) after a Covered Incident, and
  • penetration testing of Respondent’s network(s) at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident;
• Select and retain service providers capable of safeguarding Personal Information they access through or receive from Respondent, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Personal Information; and
• Evaluate and adjust the Information Security Program in light of any changes to Respondent’s operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified, or any other circumstances that Respondent knows or has reason to know may impact the effectiveness of the Information Security Program. At a minimum, Respondent must evaluate the Information Security Program at least once every twelve (12) months and modify it based on the results.

V. Information Security Assessments by a Third Party

IT IS FURTHER ORDERED that, in connection with compliance with Provision IV of this Order, titled Mandated Information Security Program, Respondent must obtain initial and biennial assessments (“Assessments”):

• The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who:

  • uses procedures and standards generally accepted in the profession;
  • conducts an independent review of the Information Security Program; and
  • retains all documents relevant to each Assessment for five (5) years after completion of such Assessment and will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission.

  The Assessor may not withhold any documents from the Commission on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory protection, or any similar claim.

• For each Assessment, Respondent must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in her or his sole discretion.

• The reporting period for the Assessments must cover:

  • the first 180 days after the issuance date of the Order for the initial Assessment; and
  • each two-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments.

• Each Assessment must, for the entire assessment period:

  • Determine whether Respondent has implemented and maintained the Information Security Program required by Provision IV of this Order, titled Mandated Information Security Program;
  • Assess the effectiveness of Respondent’s implementation and maintenance of the sub-Provisions;
  • Identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program;
  • Address the status of gaps or weaknesses in, or instances of material non-compliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and
  • Identify specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is appropriate for assessing an enterprise of Respondent’s size, complexity, and risk profile, and is sufficient to justify the Assessor’s findings.

  No finding of any Assessment shall rely primarily on assertions or attestations by Respondent’s management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Respondent’s management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent that Respondent revises, updates, or adds one or more safeguards required under Provision IV of this Order during an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.

• Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondent must submit an unredacted copy of the initial Assessment and a proposed redacted copy suitable for public disclosure to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re 1Health.io Inc., FTC File No. 1923170.”

Respondent must retain an unredacted copy of each subsequent biennial Assessment as well as a proposed redacted copy of each subsequent biennial Assessment suitable for public disclosure until the order is terminated and must provide each such Assessment to the Associate Director for Enforcement within ten (10) days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “DPIP Assessment” in red lettering.

VI. Cooperation with Third-Party Information Security Assessor

IT IS FURTHER ORDERED that Respondent, whether acting directly or indirectly, in connection with any Assessment required by Provision V of this Order, titled Information Security Assessments by a Third Party, must:

• Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege.

• Provide or otherwise make available to the Assessor information about Respondent’s network(s) and all of Respondent’s IT assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network(s) and IT assets deemed in scope.

• Disclose all material facts to the Assessor and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s:

  • determination of whether Respondent has implemented and maintained the Information Security Program required by Provision IV of this Order, titled Mandated Information Security Program;
  • assessment of the effectiveness of the implementation and maintenance of sub-Provisions IV.A-I; or
  • identification of any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program.

VII. Annual Certification

IT IS FURTHER ORDERED that Respondent must:

• One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondent responsible for Respondent’s Information Security Program that:

  • Respondent has established, implemented, and maintained the requirements of this Order;
  • Respondent is not aware of any material noncompliance that has not been corrected or disclosed to the Commission; and
  • includes a brief description of all Covered Incidents during the certified period.

  The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.

• Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: "In re 1Health.io Inc., FTC File No. 1923170."

VIII. Covered Incident Reports

IT IS FURTHER ORDERED that, within:

• Ten (10) days of any notification to a United States federal, state, or local government entity of a Covered Incident; or
• Ten (10) business days of discovery that individually identifiable Health Information of or about an individual consumer was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization,

Respondent must submit a report to the Commission. The report must include, to the extent possible:

• The date, estimated date, or estimated date range when the Covered Incident occurred.
• A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known.
• A description of each type of information that was affected by the Covered Incident.
• The number of consumers whose information was affected by the Covered Incident.
• The acts that Respondent has taken to date to remediate the Covered Incident and protect Personal Information from further exposure or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident.
• A representative copy of any materially different notice sent by Respondent to consumers or to any U.S. federal, state, or local government entity.

Unless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to:

Associate Director for Enforcement
Bureau of Consumer Protection
Federal Trade Commission
600 Pennsylvania Avenue NW
Washington, DC 20580

The subject line must begin: “In re 1Health.io Inc., FTC File No. 1923170.”

IX. Monetary Relief

IT IS FURTHER ORDERED that:

• Respondent must pay to the Commission $75,000.
• Such payment must be made within eight (8) days of the effective date of this Order by electronic fund transfer in accordance with instructions provided by a representative of the Commission.

X. Additional Monetary Provisions

IT IS FURTHER ORDERED that:

• Respondent relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.
• The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission to enforce its rights to any payment pursuant to this Order, such as a nondischargeability complaint in any bankruptcy case.
• The facts alleged in the Complaint establish all elements necessary to sustain an action by or on behalf of the Commission pursuant to Section 523(a)(2)(A) of the Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect for such purposes.
• All money paid to the Commission pursuant to this Order may be deposited into a fund administered by the Commission or its designee to be used for relief, including consumer redress and any attendant expenses for the administration of any redress fund. If a representative of the Commission decides that direct redress to consumers is wholly or partially impracticable or money remains after redress is completed, the Commission may apply any remaining money for such other relief (including consumer information remedies) as it determines to be reasonably related to Respondent’s practices alleged in the Complaint. Any money not used is to be deposited to the U.S. Treasury. Respondent has no right to challenge any activities pursuant to this Provision.
• In the event of default on any obligation to make payment under this Order, interest, computed as if pursuant to 28 U.S.C. § 1961(a), shall accrue from the date of default to the date of payment. In the event such default continues for ten (10) days beyond the date that payment is due, the entire amount will immediately become due and payable.
• Each day of nonpayment is a violation through continuing failure to obey or neglect to obey a final order of the Commission and thus will be deemed a separate offense and violation for which a civil penalty shall accrue.
• Respondent acknowledges that its Taxpayer Identification Numbers (Social Security or Employer Identification Number), which Respondent has previously submitted to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. § 7701.

XI. Customer Information

IT IS FURTHER ORDERED that Respondent must directly or indirectly provide sufficient customer information to enable the Commission to efficiently administer consumer redress to all Covered Customers. Respondent represents that it has provided this redress information to the Commission. If a representative of the Commission requests in writing any information related to redress, Respondent must provide it, in the form prescribed by the Commission representative, within fourteen (14) days.

XII. Acknowledgments of the Order

IT IS FURTHER ORDERED that Respondent obtain acknowledgments of receipt of this Order:

• Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
• For twenty (20) years after the issuance date of this Order, Respondent must deliver a copy of this Order to:
  • all principals, officers, directors, and LLC managers and members;
  • all employees, agents, and representatives having managerial responsibilities for conduct related to the subject matter of the Order; and
  • any business entity resulting from any change in structure as set forth in the Provision titled Compliance Report and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.
• From each individual or entity to which Respondent delivered a copy of this Order, Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.

XIII. Compliance Reports and Notices

IT IS FURTHER ORDERED that Respondent make timely submissions to the Commission:

• Ninety (90) days after entry of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, describing in detail its compliance with Provision III of this Order, titled Destruction of Saliva Samples. The report shall include, for each laboratory that Respondent instructed to destroy physical DNA saliva samples, a statement setting forth in detail the laboratory’s response to Respondent, if any, including, but not limited to, whether the laboratory destroyed such saliva samples and, if not, why the laboratory did not destroy such saliva samples, to the extent that the laboratory provided such information to Respondent.
• One year after the issuance date of this Order, Respondent must submit a compliance report, sworn under penalty of perjury, in which Respondent must:
  • Identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent.
  • Identify all of Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses.
  • Describe the activities of each business, including the goods and services offered, what Personal Information is collected, and the means of advertising, marketing, and sales.
  • Describe in detail whether and how Respondent is in compliance with each Provision of this Order, including a discussion of all of the material changes Respondent made to comply with the Order.
  • Provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.
• Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following:
  • Any designated point of contact.
  • The structure of Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.
  • Ownership of Respondent’s assets where such assets include Health Information, even if such change in ownership does not otherwise require the submission of a compliance notice.
• Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Respondent within fourteen (14) days of its filing.
• Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: "I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: " and supplying the date, signatory’s full name, title (if applicable), and signature.
• Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to:

Associate Director for Enforcement
Bureau of Consumer Protection
Federal Trade Commission
600 Pennsylvania Avenue NW
Washington, DC 20580

The subject line must begin: "In re 1Health.io Inc., FTC File No. 1923170."

XIV. Recordkeeping

IT IS FURTHER ORDERED that Respondent must create certain records for twenty (20) years after the issuance date of the Order, and retain each such record for five (5) years, unless otherwise specified below. Specifically, Respondent must create and retain the following records:

• Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss.
• Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name, addresses, telephone numbers, job title or position, dates of service, and (if applicable) the reason for termination.
• Copies or records of all consumer complaints and refund requests concerning the subject matter of the Order, whether received directly or indirectly, such as through a third party, and any response.
• A copy of each widely disseminated representation by Respondent that describes the extent to which Respondent maintains or protects the privacy, security, availability, confidentiality, or integrity of any Personal Information, including any representation concerning a change in any website or other service controlled by Respondent that relates to privacy, security, availability, confidentiality, or integrity of Personal Information.
• A sample copy of each different document relating to any attempt by Respondent to obtain the Affirmative Express Consent of consumers and copies of any documents demonstrating such consent provided by consumers, as required by Part II of this Order.
• For five (5) years after the date of preparation of each Assessment required by this Order, all materials and evidence that the Assessor considered, reviewed, relied upon, or examined to prepare the Assessment, whether prepared by or on behalf of Respondent, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Respondent’s compliance with related Provisions of this Order, for the compliance period covered by such Assessment.
• All records necessary to demonstrate full compliance with each Provision of this Order, including all submissions to the Commission.

XV. Compliance Monitoring

IT IS FURTHER ORDERED that, for the purpose of monitoring Respondent’s compliance with this Order:

• Within ten (10) days of receipt of a written request from a representative of the Commission, Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.
• For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Respondent. Respondent must permit representatives of the Commission to interview anyone affiliated with any Respondent who has agreed to such an interview. The interviewee may have counsel present.
• The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondent or any individual or entity affiliated with Respondent, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.