The internal investigation concluded that the databases had been subject to unauthorized access between May 24 and July 28, 2021. According to DDC, the company was unaware that this data had been inadvertently transferred as part of the acquisition.ĭDC discovered the data breach that prompted the investigation on August 6, 2021, when the company detected suspicious activity in some of its archived databases. This data had been archived as was not used for any business purpose. DDC had acquired these databases from Orchid Cellmark in 2012. The affected databases contained sensitive information of over 2 million individuals who had received DNA testing services between 20, including names, social security numbers, and payment information.
#Dna diagnostics center full site free
Please feel free to reach out to us with any questions you may have.ĭDC is one of the largest private DNA testing laboratories in the United States. We have provided a summary of the incident and settlement as well as critical considerations below.
Companies should also review and revise their data retention and disposal policies as needed to limit their relevant risk. Organizations storing protected health information and other sensitive personal information should conduct risk analyses and comprehensive due diligence of legacy databases, along with monitoring databases actively in use. This settlement also highlights the importance of safeguarding legacy data.
#Dna diagnostics center full site update
Businesses that process sensitive personal information in the ordinary course of business should proactively review and update their security practices to mitigate their potential risk of a security incident (as well as a subsequent regulatory investigation). And all companies need to be paying attention to FTC enforcement in this space, especially in light of its recent enforcement action against GoodRx. In addition to state AGs, companies regulated by the Health Insurance Portability and Accountability Act (HIPAA) need to be aware of potential enforcement by the Department of Health and Human Services. This settlement further indicates that companies that process genetic data, health information, and other sensitive categories of information are going to continue to catch the eye of regulators for data breaches, especially if these breaches are the result of outdated security practices.
The company will also implement heightened data security measures, including updating the asset inventory of its network and disabling or removing data deemed unnecessary for any legitimate business purpose.
As part of the settlement deal, DDC will pay a fine totaling $400,000. The hacking incident involved legacy data from databases that were not in business use, but that DDC had acquired as part of an acquisition in 2012. On February 17, 2023, the state attorneys general of Pennsylvania and Ohio reached a settlement with Ohio-based DNA Diagnostics Center (“DDC”) for a 2021 data breach that affected 2.1 million individuals nationwide and resulted in a breach of the personal information of nearly 46,000 patients.
0 kommentar(er)
