The recent bankruptcy filing of 23andMe has sparked significant concerns regarding the privacy and security of the genetic data entrusted to the company by its 15 million customers. As 23andMe navigates financial turmoil, the fate of this sensitive information hangs in the balance, raising critical questions about data protection and consumer rights. As the company navigates financial instability, the big issue rising to the top is: the personal data is not protected by law.
This March 2025, 23andMe filed for Chapter 11 bankruptcy protection, initiating a court-supervised process to sell its assets, including extensive genetic databases. This development has alarmed both customers and privacy advocates, as the transfer of such intimate data to unknown entities poses significant privacy risks. Legal experts have highlighted the potential for customers' genetic information to end up with successor companies that may not uphold the same privacy standards, leading to possible misuse or unauthorized access.
The situation is further complicated by the absence of comprehensive federal regulations governing the protection of genetic data in the event of a company's bankruptcy. Unlike traditional healthcare providers bound by the Health Insurance Portability and Accountability Act (HIPAA), 23andMe operates under its own privacy policies, which can be altered at the company's discretion. Any purchaser would not have to adhere to prior privacy policies. This regulatory gap leaves consumers vulnerable, as their most personal information could be sold to the highest bidder without their explicit consent.
Adding to these concerns is 23andMe's history of data security issues. In October 2023, 23andMe experienced a significant data breach, compromising the personal and genetic information of approximately 7 million users. This incident underscores the potential risks associated with the storage and handling of sensitive genetic data, especially when a company faces financial instability. This incident not only exposed personal information but also led to a $30 million settlement to address the ensuing lawsuit. Such breaches highlight the vulnerabilities inherent in storing genetic data and underscore the potential risks customers face when entrusting their DNA information to third parties.
At the heart of the privacy risk is the extraordinarily sensitive nature of the data 23andMe holds. Unlike typical consumer information, genetic data is immutable, uniquely identifiable, and deeply personal; it can reveal predispositions to diseases, ancestral origins, biological relationships, and even behavioral traits. In addition to raw DNA sequences, 23andMe stores health reports, survey responses, user-generated family trees, and in some cases, consented data for research partnerships. Combined, this trove of information forms a comprehensive biological and behavioral profile that, if sold or exposed inappropriately, could be used by insurers, employers, or bad actors in ways that undermine an individual’s privacy, reputation, and even financial security. The risk extends beyond the individual: because DNA links family members, one person’s data can implicate relatives who never consented to such exposure.
Considering these developments, it is advisable that 23andMe customers consider deleting their data and request the destruction of any biological samples held by the company as soon as possible. This proactive measure aims to mitigate potential privacy risks associated with the uncertain future of the company's data assets. It is advisable to take this action before the court is asked to freeze removal of data as that is the most significant asset of the company.
Log into your 23andMe accounts and follow the company's procedures for data deletion. This typically involves navigating to account settings, selecting data preferences, and confirming the request to delete personal and genetic data. Additionally, customers should stay informed about any communications from 23andMe regarding changes to privacy policies or data handling practices during the bankruptcy proceedings.
The 23andMe bankruptcy serves as a stark reminder of the broader implications surrounding the management and protection of genetic data. As direct-to-consumer genetic testing becomes increasingly popular, it is imperative for consumers to be aware of the potential risks and to advocate for stronger regulatory safeguards to ensure the privacy and security of their most personal information.