Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Pennsylvania: AG announces $400,000 settlement with DNA Diagnostic Centre

The Pennsylvania Attorney General ('AG') announced, on 16 February 2023, that, together with the Ohio AG, it had entered into an Assurance of Voluntary Compliance, with Case ID 230201521, with DNA Diagnostic Centre Inc. to pay the AGs $400,000 and further maintain reasonable security policies, for alleged violations of §§201-2(4)(v), 201-2(4)(vii), and 201-2(4)(xxi) of the Unfair Trade Practices and Consumer Protection Law ('the Unfair Trade Practices Law'), following a data breach.

Background to the Assurance of Voluntary Compliance

In particular, the AGs reported that, since May 2021, DNA Diagnostics had been notified of suspicious activity in the network several times over a two-month period, without activating an incident response plan until August 2021, when the data security provider informed DNA Diagnostics that there were indications of dangerous malware on its network. Further to this, the AGs noted that a third-party forensic report identified numerous security lapses that allowed the hacker to back up 28 databases and remove the data from DNA Diagnostics' network.

Findings of the AGs

Further to the above, the AGs found that, unbeknownst to DNA Diagnostics, the stolen databases, which were part of a 2012 acquisition of Orchid Cellmark, contained the social security numbers of Pennsylvanians who were subject to genetic testing from 2004 to 2012, and determined that the affected individuals amounted to 12,663.  

In light of the foregoing, the AGs reported that their investigation revealed that DNA Diagnostics had allegedly failed to properly employ reasonable data security measures to protect consumers' sensitive personal information, thereby violating the Unfair Trade Practices Law.

Outcomes

In order to resolve the matter without approval or sanction of DNA Diagnostics' practices, the AGs entered into a settlement requiring the company to pay the AGs €200,000 each and to maintain reasonable security policies designed to protect consumer personal information including:

  • designating an employee to coordinate and supervise its information security program;
  • conducting security risk assessments of its networks that store personal information annually;
  • maintaining an updated asset inventory of the entire network and disabling and/or removing any assets identified that are not necessary for any legitimate business purpose;
  • designing and implementing reasonable security measures for the protection and storing of personal information, including timely software updates, penetration-testing of its networks, and implementation of reasonable access controls such as multi-factor authentication; and
  • detecting and responding to suspicious network activity within its network within reasonable means.

You can read the press release here and the Assurance of Voluntary Compliance here.

Feedback