"Given our current environment of significant threats to data, a thorough due diligence process related to data and its security is essential as part of any transaction," Peters says. "Accordingly, they do not conduct a HIPAA risk analysis or maintain the privacy and security policies and procedures that could enable them to discover security vulnerabilities and prevent breaches."Īdditionally, due diligence with regard to confidential, proprietary and sensitive data is key when a company buys or sells an entity, including only the assets of an entity, Peters says. "This is one of the significant dangers posed by organizations that maintain protected health information but are not subject to HIPAA," he notes. Regulatory attorney Paul Hales of Hales Law Group offers a similar assessment. "This could, however, be an issue for the Federal Trade Commission," she adds. "HIPAA would be implicated, only to the extent that this entity is covered by HIPAA, and many, genetic testing entities are direct-to-consumer, and not covered by HIPAA, because they do not bill health insurance companies for their testing," says privacy attorney Iliana Peters of the law firm Polsinelli. Some experts say a data security incident involving any DNA testing firm could trigger various regulatory issues, but not necessarily HIPAA.
DDC has also coordinated closely with law enforcement following the discovery of this incident."ĭDC says its incident is not a reportable HIPAA breach. To date, DDC is not aware of any reports of identity fraud or improper use of information as a result of this incident. The company adds: "Ensuring the safety and security of the personal information entrusted to DDC remains the company’s primary responsibility, and DDC continues to work with third-party experts to harden its cybersecurity defenses. In a statement provided to Information Security Media Group, DDC says: "Though DDC maintains stringent security standards to ensure the safety of our systems, cybersecurity incidents have unfortunately become very common in today’s business environment." The company is offering affected individuals 12 months of complementary credit monitoring services. The company also offers a variety of COVID-19 tests. "DDC has been and remains fully operational, and the systems and databases that are actively used by DDC were not infiltrated," the company says.ĭDC's website shows that the company offers a wide variety of DNA and related testing services, including paternity, ancestry, fertility, genotyping and pet DNA testing.
Upon discovery of the incident, DDC says it "contained and secured the threat," notified law enforcement authorities and worked with third-party cybersecurity professionals in the investigation. 29, determined that unauthorized actors potentially removed "certain" files and folders from portions of its legacy database.Īffected individuals may have had information, including their Social Security numbers or payment information, compromised in the incident, the company says. Social Security Numbers CompromisedĭDC says its investigation, which was completed Oct. This system has never been used in DDC’s operations and has not been active since 2012," DDC says. "The impacted database was associated with a national genetic testing organization system that DDC acquired in 2012. 6, it detected a potential security incident on its network, during which there was unauthorized access and acquisition of an archived database containing personal information collected between 20. In a breach notification statement, DDC says that on Aug. In a report filed to the Maine attorney general's office on Monday, Fairfield, Ohio-based DNA Diagnostics Center says more than 2.1 million individuals - including 225 Maine residents - were affected by an "external hacking" incident that occurred between May 24 and July 28 and involved an archived database containing personal information collected more than a decade ago. See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm An Ohio-based DNA testing company has reported to regulators that personal information of more than 2.1 million individuals contained in a legacy database was accessed and acquired in a hacking incident detected in August.
0 kommentar(er)
