Ohio DNA Testing Company Alerts 2.1 Million People Concerning Breach of Personal Data

A DNA testing firm based in Ohio has lately announced a hacking incident that compromised the sensitive information of 2,102,436 people. DNA Diagnostics Center (DDC) stated it discovered suspicious network activity on August 6, 2021, and affirmed that unauthorized persons accessed and obtained data files from an archived data storage from May 24, 2021 to July 28, 2021.

Based on the data breach investigation, the attackers exfiltrated files that contained complete names, financial account numbers, debit/credit card numbers and CVV codes, platform account passwords, and Social Security numbers. The firm stated genetic testing information was kept on another system not accessible to the hackers. No information connected to its current operations had been exfiltrated during the cyberattack.

The database included backups created from 2004 to 2012 that were connected with a national genetic testing firm that DDC obtained in 2012. DDC stated that the legacy system accessed by the hackers was never utilized in DDC’s operations and it has been non-active way back in 2012. DDC didn’t share the identity of the genetic testing firm that gathered the information. It is probable that the people impacted by the data breach are not aware that DDC was keeping their personal data.

DDC explained files were copied from its systems and it is collaborating with third-party cybersecurity specialists to get back the stolen information and ensure the attackers don’t make any more disclosures. There is no ransomware involved in the attack, but it would seem that the attackers want some payment to delete the information.

DDC mentioned it is not aware of any actual or attempted patient data misuse, however, as a preventative measure against identity theft and fraud, it is offering affected persons one-year credit monitoring and identity theft protection service via Experian.

Breach notification letters were mailed to affected persons according to state regulations. DDC affirmed that the incident is not a reportable breach as per the Health Insurance Portability and Accountability Act (HIPAA).