DNA data of millions at risk as 23andMe declares bankruptcy

The recent Chapter 11 bankruptcy filing by genetic testing company 23andMe has raised serious concerns about the privacy and security of the DNA data of millions of users. Founded in 2006, 23andMe has long been a leader in consumer genetic testing, offering individuals insights into their predisposition to various diseases and the possibility of connecting with unknown relatives. However, with the company now seeking buyers in bankruptcy proceedings, the sale of this genetic data has become a source of alarm for privacy advocates and experts.

Many users trusted 23andMe with some of their most sensitive personal information, their DNA. However, as the company faces financial struggles, privacy experts warn that the future handling of this data may be far less secure. Tazin Kahn, CEO of the nonprofit Cyber Collective, which promotes privacy and cybersecurity for marginalised groups, expressed deep concern about the potential consequences. “Folks have absolutely no say in where their data is going to go,” she said. “How can we be so sure that the downstream impact of whoever purchases this data will not be catastrophic?”

The sale of genetic information is particularly troubling because DNA data is uniquely sensitive. Unlike passwords, Social Security numbers or even addresses, DNA is immutable. People cannot change their DNA if it falls into the wrong hands, and its misuse could have lasting consequences. Although the company’s spokesperson reassured customers that 23andMe would continue to store data securely and in compliance with U.S. law, many remain sceptical.

The lack of comprehensive federal privacy laws in the U.S. contributes to the anxiety surrounding the potential sale of genetic data. Andrew Crawford, an attorney at the nonprofit Centre for Democracy and Technology, pointed out that there is very little federal regulation governing genetic data when it is held by technology companies. He noted that while the Health Insurance Portability and Accountability Act (HIPAA) offers protections for health data, it largely applies only to data held by medical professionals or insurance companies. Genetic data in the hands of tech companies like 23andMe falls outside the scope of these protections, leaving users vulnerable.

People cannot change their DNA if it falls into the wrong handsGetty Images

"Americans’ medical data faces less legal scrutiny when it is held by tech companies rather than by medical professionals,” Crawford explained. This gap in regulatory oversight has led to calls for stronger privacy protections for consumers, particularly as the use of biometric data, such as DNA, becomes more widespread.

The potential risks posed by the sale of DNA data extend beyond individual users. In some cases, genetic testing data has been subpoenaed by law enforcement agencies to aid in criminal investigations. While this data has occasionally helped solve crimes, privacy advocates worry about the potential for abuse. DNA information could be used not only to track individuals but also to identify their relatives. Emily Tucker, executive director of Georgetown Law’s Centre on Privacy and Technology, highlighted the broader implications. “This involves significant risks not only for the individual who submits their DNA but for everyone to whom they are biologically related,” she said.

23andMe has already experienced a significant breach of its data security. In 2023, a hacker gained access to the personal information of around 6.9 million users, nearly half of the company’s customer base at the time. The breach, which included the unauthorised release of genetic data belonging to people with Ashkenazi Jewish heritage, was a sobering reminder of the dangers of storing such sensitive information. Following the breach, 23andMe pledged to continue prioritising user data protection. However, the bankruptcy filing has reignited fears that data security may be compromised.

In response to the news, California Attorney General Rob Bonta issued a public warning urging users to take steps to protect their genetic data. In his statement, Bonta provided instructions on how users can delete their data from 23andMe’s database, request the deletion of their test samples, and revoke permission for their data to be used in third-party research studies. While these measures offer some recourse for concerned users, they do little to alleviate the larger problem of how personal data is handled by technology companies.

The sale of 23andMe's data should serve as a wake-up call for consumers about the potential risks involved in sharing personal information with corporations. Many users may not realise that when they submit their DNA to companies like 23andMe, they are placing their genetic privacy in the hands of the company’s data policies, which can be subject to change at any time.

As genetic testing becomes increasingly popular and companies like 23andMe continue to accumulate vast amounts of sensitive data, it is essential that stronger regulations be put in place to protect consumers. Without meaningful privacy laws, the risk of data being sold or misused will remain a significant concern, not just for individuals but for entire families.

In the meantime, users are encouraged to remain vigilant about how their personal information is stored and used. The story of 23andMe’s bankruptcy is a stark reminder of the importance of privacy in an age where personal data has become a commodity.