DNA-testing service Vitagene Inc. left thousands of client health reports exposed online for years, the kind of incident that privacy advocates have warned about as gene testing has become increasingly popular.
More than 3,000 user files remained accessible to the public on Amazon Web Services cloud-computer servers until July 1, when Vitagene was notified of the issue and shut down external access to the sensitive personal information, according to documents obtained by Bloomberg. The genealogy reports included customers’ full names alongside dates of birth and gene-based health information, such as their likelihood of developing certain medical conditions, a review of the documents showed.
Vitagene said that the files dated from when the company was in “beta” testing and represented a small fraction of its customer base.
“We immediately opened an investigation and blocked access to the files,” Chief Executive Officer Mehdi Maghsoodnia said in an email. “We updated our security protocols in 2018 and have engaged an outside security firm to run external and internal penetration testing across our application.
Advocates say consumers may not understand the data privacy policies of at-home genealogy services. For example, 23andMe Inc. shares information from its clients with one of its investors, drug-maker GlaxoSmithKline Plc, to help develop new treatments and select patients for clinical trials. Law enforcement agencies have begun tapping DNA companies’ large databases to track down criminals, leading to last year’s capture of the Golden State Killer decades after the crimes. Companies also share DNA data to make a profit.