EPIC Commends FTC’s Vitagene Genetic and Health Data Settlement

In comments to the Federal Trade Commission, EPIC commended the FTC for taking enforcement action against direct-to-consumer genetic testing company Vitagene for unfair and deceptive trade practices involving genetic and health information. Vitagene misrepresented the company’s data security and privacy practices and put sensitive consumer information at risk by storing Health Reports in publicly accessible Amazon S3 Datastore buckets for nearly two years.

EPIC urged the FTC to approve the proposed consent order and praised the definition of “Covered Incident” in the order because it includes situations in which consumer health information is “reasonably believed to have been” accessed or exposed publicly without authorization. EPIC encouraged the Commission to build on this concept of a cybersecurity incident in future Section 5 enforcement and through the Health Breach Notification Act, as it “reflects the understanding that cybersecurity enforcement should prevent data from being stored insecurely in the first place, not just retroactively address security breaches.”

EPIC regularly files comments in response to proposed FTC consent orders and complaints regarding business practices that violate privacy rights. Additionally, EPIC has long advocated for health privacy safeguards. Recently, EPIC published an analysis of how a data minimization-focused commercial surveillance rule would shape the FTC’s health data privacy authority.