(COLUMBUS, Ohio) — Ohio and Pennsylvania have negotiated agreements with DNA Diagnostics Center – a Fairfield, Ohio, company that provides paternity and other DNA testing – over a 2021 data breach that compromised the personal information of more than 45,000 consumers in the two states.

“Negligence is not an excuse for letting consumer data get stolen,” said Ohio Attorney General Dave Yost, whose office investigated the problems jointly with the office of Pennsylvania Acting Attorney General Michelle Henry. “We’re proud to partner with Pennsylvania to ensure that citizens’ personal data stays private — which consumers rightly expect.”

The breach exposed the Social Security numbers and other personal data of roughly 33,000 Ohioans and 12,500 Pennsylvanians.

Under the agreement with Ohio, DNA Diagnostics must pay a $200,000 fine and institute a new cybersecurity program that meets industry standards.

DNA Diagnostics hired a third party to conduct data-breach monitoring. After detecting a breach in May 2021, the contractor repeatedly attempted to notify DNA Diagnostics through email, but company employees overlooked the emails for almost four months.

During those months, the attackers installed malware to the company’s network and extracted data. The stolen data wasn’t DNA Diagnostics’ customer data but, rather, data it had purchased from another company in order to expand its business portfolio.

The joint investigation by Ohio and Pennsylvania found DNA Diagnostics made unfair and deceptive statements about their cybersecurity and failed to employ reasonable measures to detect and prevent a data breach, unnecessarily exposing its consumers to harm.  

“The more personal information these criminals gain access to, the more vulnerable the person whose information was stolen becomes,” Acting Attorney General Henry said. “That’s why my office took action with the assistance of Attorney General Yost.”

As part of the negotiations with both states, the company must have its new cybersecurity program assessed by a certified third party and comply with the Consumer Sales Practices Act in any future collection, use and protection of personal information.

Consumers affected by any data breach should monitor their credit reports to protect themselves against identity theft. For details, visit www.AnnualCreditReport.com.

If you need assistance as an identity-theft victim or if you suspect a scam or an unfair business practice, contact the Ohio Attorney General’s Office at www.OhioProtects.org or 800-282-0515.

Hear from AG Yost:

“They didn’t check their email for four months. So they were actually alerted they had a security breach and could have done something…”

“We were prepared to go to court if we needed to. They realized that they hadn’t done well in this situation.”

“You should always watch your credit report and make sure there aren’t any unauthorized inquiries…”

MEDIA CONTACT:
Hannah Hundley: 614-906-9113

-30-