DNA-testing service Vitagene Inc. left thousands of client health reports exposed online for years, the kind of incident that privacy advocates have warned about as gene testing has become increasingly popular.
More than 3,000 user files remained accessible to the public on Amazon Web Services cloud-computer servers until July 1, when Vitagene was notified of the issue and shut down external access to the sensitive personal information, according to documents obtained by Bloomberg. The genealogy reports included customers’ full names alongside dates of birth and gene-based health information, such as their likelihood of developing certain medical conditions, a review of the documents showed.
Vitagene said that the files dated from when the company was in “beta” testing and represented a small fraction of its customer base.
“We immediately opened an investigation and blocked access to the files,” Chief Executive Officer Mehdi Maghsoodnia said in an email. “We updated our security protocols in 2018 and have engaged an outside security firm to run external and internal penetration testing across our application. As a team we acknowledge our mistake and will keep ourselves accountable. We hope over time to prove that we are worthy of the trust that is given to us every day.”
Since 2014, closely held Vitagene has helped people craft diet and exercise plans that are molded to their biological traits, lifestyles and goals. The San Francisco-based company generates individualized reports of as many as 60 pages within four- to six-weeks of receiving DNA samples, then walks customers through health-risk factors and recommendations. Vitagene was co-founded by a doctor and a sales executive and says it intends to bring a genetic-based approach to wellness.
Advocates say consumers may not understand the data privacy policies of at-home genealogy services. For example, 23andMe Inc. shares information from its clients with one of its investors, drugmaker GlaxoSmithKline Plc, to help develop new treatments and select patients for clinical trials. Law enforcement agencies have begun tapping DNA companies’ large databases to track down criminals, leading to last year’s capture of the Golden State Killer decades after the crimes. Companies also share DNA data to make a profit.