DNA Test Firm: 2.1 Million Affected by Legacy Database HackCompromised Personal Information Was Collected More Than a Decade Ago
An Ohio-based DNA testing company has reported to regulators that personal information of more than 2.1 million individuals contained in a legacy database was accessed and acquired in a hacking incident detected in August.
In a report filed to the Maine attorney general's office on Monday, Fairfield, Ohio-based DNA Diagnostics Center says more than 2.1 million individuals - including 225 Maine residents - were affected by an "external hacking" incident that occurred between May 24 and July 28 and involved an archived database containing personal information collected more than a decade ago.
In a breach notification statement, DDC says that on Aug. 6, it detected a potential security incident on its network, during which there was unauthorized access and acquisition of an archived database containing personal information collected between 2004 and 2012.
"The impacted database was associated with a national genetic testing organization system that DDC acquired in 2012. This system has never been used in DDC’s operations and has not been active since 2012," DDC says.
Social Security Numbers Compromised
DDC says its investigation, which was completed Oct. 29, determined that unauthorized actors potentially removed "certain" files and folders from portions of its legacy database.
Affected individuals may have had information, including their Social Security numbers or payment information, compromised in the incident, the company says.
Upon discovery of the incident, DDC says it "contained and secured the threat," notified law enforcement authorities and worked with third-party cybersecurity professionals in the investigation.
"DDC has been and remains fully operational, and the systems and databases that are actively used by DDC were not infiltrated," the company says.
DDC's website shows that the company offers a wide variety of DNA and related testing services, including paternity, ancestry, fertility, genotyping and pet DNA testing. The company also offers a variety of COVID-19 tests.
The company is offering affected individuals 12 months of complementary credit monitoring services.
In a statement provided to Information Security Media Group, DDC says: "Though DDC maintains stringent security standards to ensure the safety of our systems, cybersecurity incidents have unfortunately become very common in today’s business environment."
The company adds: "Ensuring the safety and security of the personal information entrusted to DDC remains the company’s primary responsibility, and DDC continues to work with third-party experts to harden its cybersecurity defenses. To date, DDC is not aware of any reports of identity fraud or improper use of information as a result of this incident. DDC has also coordinated closely with law enforcement following the discovery of this incident."
DDC says its incident is not a reportable HIPAA breach.
Some experts say a data security incident involving any DNA testing firm could trigger various regulatory issues, but not necessarily HIPAA.
"HIPAA would be implicated, only to the extent that this entity is covered by HIPAA, and many, genetic testing entities are direct-to-consumer, and not covered by HIPAA, because they do not bill health insurance companies for their testing," says privacy attorney Iliana Peters of the law firm Polsinelli. "This could, however, be an issue for the Federal Trade Commission," she adds.
Regulatory attorney Paul Hales of Hales Law Group offers a similar assessment.
"This is one of the significant dangers posed by organizations that maintain protected health information but are not subject to HIPAA," he notes. "Accordingly, they do not conduct a HIPAA risk analysis or maintain the privacy and security policies and procedures that could enable them to discover security vulnerabilities and prevent breaches."
Additionally, due diligence with regard to confidential, proprietary and sensitive data is key when a company buys or sells an entity, including only the assets of an entity, Peters says.
"Given our current environment of significant threats to data, a thorough due diligence process related to data and its security is essential as part of any transaction," Peters says.
Legacy systems can pose potential data security risks for entities covered by HIPAA and those not covered alike, Peters notes.
"As such, enterprise risk assessments, known as 'risk analyses' under HIPAA, should include legacy systems, as well."
Any time data is potentially accessible from within a data environment, even if it is data at rest in some sort of legacy repository, that data should be protected with more than just perimeter- or access-based security, says Trevor Morgan, a manager with data security firm comforte AG.
"Data-centric security via tokenization can be applied to production data as well as to archived data no longer in day-to-day production use," he says. "The point is to protect that data at whatever point it enters your workflow or data ecosystem, and then maintain its protection throughout its entire life cycle."