DNA Diagnostics Center, a DNA testing company, will pay a penalty of $400,000 to the attorneys general of Pennsylvania and Ohio for a data breach in 2021 that affected 2.1 million individuals nationwide, according to a settlement deal with the states’ attorneys general. 

The company will also be required to implement improvements to its data security, including updating the asset inventory of its entire network and disabling or removing any assets identified that are not necessary for any legitimate business purpose.

Founded in 1995, DNA Diagnostic Center is a private DNA-testing company that offers diagnostic and genetic tests to help answer relationship, fertility, and health and wellness questions. 

The forgotten legacy data

DNA Diagnostics Center’s hacking incident involved legacy data from Orchid Cellmark, which the company had acquired in 2012 to expand its business portfolio. “Specifically, the breach involved databases that were not used for any business purpose, but were provided to DNA Diagnostic Center as part of a 2012 acquisition of Orchid Cellmark,” the settlement agreement said. 

DNA Diagnostic Center claimed that the breach impacted databases containing sensitive personal information, and that the data was accidentally transferred to the company without its knowledge. “DDC asserts it was not aware that these legacy databases existed in its systems at the time of the Breach — more than nine years after the acquisition,” the settlement agreement noted. 

“Negligence is not an excuse for letting consumer data get stolen,” Ohio Attorney General Dave Yost said in a statement. 

The stolen data was collected between 2004 and 2012. The joint investigation by Ohio and Pennsylvania found DNA Diagnostics Center made unfair and deceptive statements about its cybersecurity and failed to employ reasonable measures to detect and prevent a data breach, exposing its consumers to harm. 

The breach exposed the social security numbers and other personal data of about 33,300 consumers in Ohio, and about 12,600 in Pennsylvania. DNA Diagnostics Center will pay a $200,000 HIPAA fine to Ohio and a $200,000 HIPAA penalty to Pennsylvania.

A two-month delay in action

DNA Diagnostic Center was alerted of suspicious activity by its third-party data breach monitoring vendor but the alerts were overlooked by the company. “The contractor repeatedly attempted to notify DNA Diagnostics through email, but company employees overlooked the emails for over two months,” the settlement agreement said.

During this time period, the attackers installed Cobalt Strike malware in the company’s network and extracted data. 

Investigations revealed that the threat actor logged into a virtual private network on May 24, 2021 using a DNA Diagnostic Center user account and harvested active directory credentials from a domain controller that provided password information for each account in the network. 

The settlement agreement also noted that when the threat actor initially accessed the VPN, DNA Diagnostic Center had migrated to a different VPN and no users should have been using the VPN the threat actor used for remote access. 

On June 16, 2021, the threat actor used a test account that had administrator privileges to create a persistence mechanism that executed Cobalt Strike throughout the environment.

Between July 7, 2021, and July 28, 2021, the threat actor accessed five servers and collectively backed up a total of 28 databases from the servers using a decommissioned server. 

In September 2021, the threat actor contacted the company and demanded payment. The company made the payment to the hacker in exchange for the deletion of stolen data, the settlement agreement noted. 

Terms of settlement

The settlement requires DNA Diagnostics Center to maintain reasonable security policies designed to protect consumer personal information. It also requires the lab to designate an employee to coordinate and supervise its information security program. 

The DNA testing company will also have to conduct security risk assessments of its networks that store personal information annually, maintain an updated asset inventory of the entire network and disable or remove any assets identified that are not necessary for any legitimate business purpose. 

The company will have to design and implement reasonable security measures for the protection and storing of personal information, including timely software updates, penetration-testing of its networks, and implementation of reasonable access controls such as multi-factor authentication, and detect and respond to suspicious network activity within its network within reasonable means, the settlement statement added.