23andMe’s weekend bankruptcy filing has ignited concerns among consumers who provided the company with their genetic information and reignited discussions on data privacy among policymakers and security experts.
Among the genetic testing company’s assets is the genetic information of more than 15 million customers who had used its direct-to-consumer DNA tests, about 80% of whom also opted into their use for research purposes.
The company, which had gone public in early 2021, has used those data to support novel drug discovery programs through partnerships with drugmakers like longtime investor GlaxoSmithKline. More recent years had also found the company trying to pair its testing capabilities with other services like primary care, telehealth and population health.
“This isn't just a typical data set; it includes deeply sensitive, immutable biological data that can be tied to individuals and their families for generations,” said Ensar Seker, chief information security officer for data security and intelligence platform SOCRadar. “Unlike a password or credit card number, you can't change your DNA."
Mark Jensen, 23andMe’s board chair, said in a statement that the company is “committed to continuing to safeguard customer data and being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction.”
The company’s assurances haven’t squelched concerns. Just ahead of the Chapter 11 filing, in response to questions over 23andMe’s solvency, California Attorney General Rob Bonta issued a consumer alert informing consumers of their right under state laws to direct the deletion of their genetic data or the revocation of permission for use in research. The notice also outlined step-by-step instructions for doing so.
The National Consumers League issued its own “urgent warning” on Tuesday morning. In it, the group’s vice president of public policy telecommunications and fraud, John Breyault, said it “remains uncertain whether consumer protections and agreements will be upheld within the context of the bankruptcy proceedings.”
Numerous customers appear to have taken the warnings to heart. 23andMe’s login portal was sluggish, unresponsive and eventually went offline Monday, with a customer service chatbot telling users that the company was seeing a “high volume of inquiries and increased web traffic,” The Wall Street Journal reported. The users also told the publication they faced long customer service queues, difficulties with the company’s automated two-factor authentication and troubles downloading reports of their personal results.
“Data is the hottest commodity in healthcare right now, so it's no surprise that 23andMe's potential bankruptcy raises significant privacy concerns,” Siwar El Assad, chief information security officer of drug development platform QuantHealth, said. “In cybersecurity, we always tell teams to prepare for the worst-case scenario; people deleting their data and reacting to the bankruptcy filing is just consumers naturally protecting themselves.”
Genetic data sale brings risks and unknowns
The consensus is that the data 23andMe collected are not subject to the Health Insurance Portability and Accountability Act (HIPAA), the federal law outlining privacy and transfer protections for individuals’ health data, legal and security experts said.
Rather, the genetic data “are typically covered by consumer privacy laws” similar to those that apply to consumer health wearables and apps, explained Jordan Wrigley, data and policy analyst for health and wellness at the Future of Privacy Forum, a think tank.
That said, 23andMe could be subject to enforcement from the Federal Trade Commission if it doesn’t comply with the privacy promises it outlined to consumers in its terms and services, said Shannon Hartsfield, a partner at law firm Holland & Knight who advises clients on state and federal health regulatory matters.
Here, she pointed to a portion of the company’s online privacy statement that specifically addresses data sharing in the case of a bankruptcy, merger, acquisition, reorganization or sale of assets. It reads: “your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity. We may also disclose Personal Information about you to our corporate affiliates to help operate our services and our affiliates’ services.”
Chris Hauk, of the online privacy educational blog Pixel Privacy, noted that 23andMe’s collected data remain subject to California’s stricter privacy protection enforcement as it continues to operate during the course of its Chapter 11 proceedings.
“This means 23andme customers do still have time to request that the company delete all of their data, including their genetic data,” he said. “I strongly recommend that affected customers make a deletion request as soon as possible, to ensure that your data is not sold."
Multiple experts reiterated that consumers should take action ahead of any sale. While 23andMe told its customers that any buyer “will be required to comply with applicable law with respect to the treatment of customer data,” a new owner may look to edit its terms and conditions in the wake of their purchase and work to convince consumers to opt in to the amended policy. Issues around consent, data retention and transfer during a bankruptcy can also become “especially” complicated if the buyer turns out to be a foreign entity or data broker, Seker said.
Cybersecurity practices are another concern, particularly as 23andMe had already faced a damaging data breach in 2023 (plus a subsequent lawsuit and settlement) where 6.9 million customers had their personal information exposed.
“If the company that takes over the data lacks good data security, there’s a possibility of breach,” I. Glenn Cohen, a bioethics and health law expert as well as a faculty director at Harvard Law School, said last week in a Harvard Gazette Q&A.
The handoff between 23andMe and a new owner is also a weak link in the cybersecurity chain, added Seker. If the parties can’t maintain proper safeguards and access controls “during this uncertain period, there’s a high risk” the data could be stolen and sold to commit fraud, blackmail, discriminatory practices and even to exploit national security.
"The bottom line is that 23andMe’s bankruptcy shouldn’t just be seen as a business failure. It’s a data stewardship crisis,” Seker said. “Regulators, privacy watchdogs and even national security agencies should step in to ensure that this dataset doesn’t fall into the wrong hands. Transparency, oversight and ethical responsibility are now more important than ever."
As for 23andMe, El Assad said that “trust is non-negotiable.” The company will need to maintain compliance and communicate to customers that it is protecting their information, even amid financial distress, if it wants to fend off shifting consumer sentiment and, subsequently, deletions reminiscent of a bank run.
“In public privacy concerns, proactive security is more effective than reactive measures,” she said. “For 23andMe, it’s critical to reassure customers with a multi-layered security approach during any data transfer or sale. Transparency and maintaining robust protection mechanisms, especially following past breaches, are crucial. In cybersecurity, especially with sensitive genetic data, integrity, and accountability aren't just guiding principles- they are imperatives.”
State, federal protections limited, but interest is growing
Though 23andMe is still subject to California’s consumer data privacy law, the concerns surrounding its bankruptcy underscore the inconsistent legislation in place from state to state. However, data privacy experts said the tide is shifting toward greater awareness of, and support for, these laws.
“Genetic data remains top of mind for U.S. policymakers, and we continue to see new state laws covering genetic data,” Corban Zweifel-Keegan, managing director of the International Association of Privacy Professions, said.
“It is intrinsically sensitive and immutable so privacy laws, when they apply, generally treat it with the highest level of protection. For example, of the 19 states with comprehensive consumer privacy laws, all of them require opt-in consent to use genetic data, at least in certain circumstances,” he said.
Future of Privacy Forum’s Wrigley said that 23andMe and its data buyer would be subject to these existing laws, “including genetics-specific state laws, comprehensive privacy laws, health-focused laws and similar.”
Bearing in mind other consumer health products with a data component, such as wearables or apps, she added that “there is growing recognition that wellness and fitness data or health data that falls outside HIPAA's scope, including the sort of information that 23andMe collects, is sensitive and should be protected by strong safeguards.”
Still, efforts from lawmakers at the federal level to impose similar regulations have yet to reach the finish line. Bipartisan and bicameral draft legislation was introduced last year that aimed to hold companies accountable for strong data security and “eliminate[] the patchwork of state laws by setting one national privacy standard, stronger than any state.”
More recently, House lawmakers established a data privacy working group in February to explore a framework for similar legislation.
Sen. Bill Cassidy, M.D., R-Louisiana, in a post on X, said Monday afternoon that uncertainty over who will end up with millions of Americans’ DNA is “exactly why” he and Sen. Gary Peters, D-Michigan, introduced a bill with focused on consumer genomic data deletion earlier this month.
“You should have control over your own DNA. Period,” Cassidy wrote.