DNA testing firm settles data breach case, Pa. attorney general says

A DNA testing firm that suffered a data breach in 2021, exposing Social Security numbers, will pay $400,000 in fines and implement better security practices, the attorneys general of Pennsylvania and Ohio announced Thursday.

DNA Diagnostics Center of Fairfield, Ohio, was alerted repeatedly by a contractor conducting data-breach monitoring beginning in May 2021, but the company overlooked the emails for nearly four months, according to the Ohio Attorney General’s Office.

The company publicly acknowledged that a breach had occurred later that year. A news report at the time said the breach affected the data of more than 2 million people.

Pennsylvania Attorney General Michelle A. Henry said the breach exposed the Social Security numbers of 12,663 Pennsylvanians who were subject to genetic testing between 2004 and 2012. Ohio Attorney General Dave Yost said the breach affected around 33,000 people in that state.

The 18-page settlement between the company and the two states said the stolen information was contained in databases acquired by DNA Diagnostics Center in a 2012 acquisition of Orchid Cellmark.

However, DNA Diagnostics claimed that databases were “inadvertently transferred” and that the company “was not aware that these legacy databases existed in its systems at the time of the [2021 breach] — more than nine years after the acquisition.”

Henry said DNA Diagnostics Center is one of the world’s largest private DNA testing companies offering diagnostic and genetic testing to help answer relationship, fertility, and health questions.

Under the settlement, the company will pay fines of $200,000 to each office of the attorney general and institute new cybersecurity practices that meet industry standards.

“Negligence is not an excuse for letting consumer data get stolen,” Yost said in a statement.

A representative for DNA Diagnostics Center could not be reached for comment.