On February 17, 2023, the state attorneys general of Pennsylvania and Ohio reached a settlement with Ohio-based DNA Diagnostics Center (“DDC”) for a 2021 data breach that affected 2.1 million individuals nationwide and resulted in a breach of the personal information of nearly 46,000 patients. The hacking incident involved legacy data from databases that were not in business use, but that DDC had acquired as part of an acquisition in 2012. As part of the settlement deal, DDC will pay a fine totaling $400,000. The company will also implement heightened data security measures, including updating the asset inventory of its network and disabling or removing data deemed unnecessary for any legitimate business purpose.

This settlement further indicates that companies that process genetic data, health information, and other sensitive categories of information are going to continue to catch the eye of regulators for data breaches, especially if these breaches are the result of outdated security practices. In addition to state AGs, companies regulated by the Health Insurance Portability and Accountability Act (HIPAA) need to be aware of potential enforcement by the Department of Health and Human Services. And all companies need to be paying attention to FTC enforcement in this space, especially in light of its recent enforcement action against GoodRx. Businesses that process sensitive personal information in the ordinary course of business should proactively review and update their security practices to mitigate their potential risk of a security incident (as well as a subsequent regulatory investigation).

This settlement also highlights the importance of safeguarding legacy data. Organizations storing protected health information and other sensitive personal information should conduct risk analyses and comprehensive due diligence of legacy databases, along with monitoring databases actively in use. Companies should also review and revise their data retention and disposal policies as needed to limit their relevant risk.

We have provided a summary of the incident and settlement as well as critical considerations below. Please feel free to reach out to us with any questions you may have.

DDC’s Data Breach

DDC is one of the largest private DNA testing laboratories in the United States. The affected databases contained sensitive information of over 2 million individuals who had received DNA testing services between 2004 and 2012, including names, social security numbers, and payment information. DDC had acquired these databases from Orchid Cellmark in 2012. This data had been archived as was not used for any business purpose. According to DDC, the company was unaware that this data had been inadvertently transferred as part of the acquisition.

DDC discovered the data breach that prompted the investigation on August 6, 2021, when the company detected suspicious activity in some of its archived databases. The internal investigation concluded that the databases had been subject to unauthorized access between May 24 and July 28, 2021. An unauthorized third party had logged in via VPN on May 24 using a DDC account, having harvested credentials from a domain controller that provided password information for each account in the network. Using a test account with administrator privileges, the hacker installed the malware Cobalt Strike to exfiltrate the data over the course of two months. 5 servers that contained backups of 28 databases were compromised in the incident. In September 2021, the threat actor demanded payment from DDC for the return and deletion of the stolen data and payment was made.

According to court documents, prior to the data breach, a third-party data breach monitoring vendor had detected the breach and attempted to notify DDC of suspicious activity. The attempts to alert the company had been overlooked by company employees for nearly two months.

Alleged Violations and Settlement Terms

The states’ attorneys general investigation concluded that DDC engaged in deceptive or unfair cybersecurity practices by making material misrepresentations in its privacy policy regarding its safeguarding of consumers’ personal information, which left consumers’ personal data vulnerable to unauthorized access.

In addition to the fine, the settlement requires DDC to maintain reasonable security policies to protect consumer personal information. DDC will also ensure timely software updates, penetration-testing of its networks, and implementation of reasonable access controls such as multi-factor authentication. Particularly regarding legacy systems, DDC will conduct annual security risk assessments of its networks and disable or remove any assets not necessary for any legitimate business purpose.

Key Considerations for Companies

Any organization maintaining sensitive user information should keep the following considerations in mind:

1. Monitor legacy systems – Legacy systems can pose data security risks both for covered and non-covered entities. This incident underscores the importance of organizations managing health data to include legacy systems in their enterprise risk assessments. During mergers and acquisitions, organizations must monitor the data being transferred between entities. Inventory assessment and penetration testing should capture not only active databases, but inactive ones, as well. Companies should ensure that legacy systems are properly secured. Unnecessary data should be removed from databases to eliminate risk of unauthorized access.
2. Pay attention to breach monitoring – Companies should ensure that employees take seriously any notification of potential breach activity. Such notifications should be shared in a timely manner with appropriate individuals at the company so that appropriate action can be taken quickly.
3. Update relevant policies and procedures – Companies should review their relevant policies and procedures, including those related to data disposal and retention, to ensure that they are not creating additional risk for themselves by having outdated protocols.