What 23andMe’s Bankruptcy Means for Genetic Data Security
What happens to customer data now? Genetic expert weighs in on privacy risks.
Complete the form below to unlock access to ALL audio articles.
The popular direct-to-consumer genetic testing (DTC-GT) company 23andMe announced it has filed for bankruptcy, leaving customers with questions about how best to protect their data.
23andMe files for bankruptcy
23andMe was founded in 2006 by Anne Wojcicki, Linda Avey and Paul Cusenza. One of the first companies to offer ancestral information from a saliva-based DNA test, it quickly grew in popularity and value – 23andMe was worth a whopping $6 billion after going public in 2021.
The company suffered a data breach in 2023 where approximately 14,000 customer accounts were accessed through credential stuffing. This is a type of cyberattack where hackers harness the fact that many users use the same credentials across different online accounts. The attackers gained access to information from ~5.5 million relative profiles and ~1.4 million family tree profiles.
23andMe settled a lawsuit in September 2024 in which it was alleged to have failed to protect the privacy of its customers whose information was accessed in the 2023 data breach. Mark Jensen, chair and member of the company’s Special Committee of the Board of Directors, said 23andMe has been facing operational and financial challenges in a statement about the bankruptcy.
Want more breaking news?
Subscribe to Technology Networks’ daily newsletter, delivering breaking science news straight to your inbox every day.
Subscribe for FREE“After a thorough evaluation of strategic alternatives, we have determined that a court-supervised sale process is the best path forward to maximize the value of the business,” Jensen added.
Many 23andMe customers are now questioning what will happen to their data. Technology Networks turned to genetics expert Professor Yann Joly, director of the Centre of Genomics and Policy at McGill University, to find out. Joly is also a James McGill Professor in the Faculty of Medicine and Health Sciences and an associate member of both the Bioethics Unit and at the Law Faculty at McGill.
Genetic data is a rich source of personal information
When a customer submits their data to 23andMe, how is it usually handled? “Typically, a sample is processed, and a report is drafted for a customer. While the company’s privacy policy explains that 23andMe uses different modes of physical technical procedures to keep a client’s data secure, it is vague as to how long a person’s sample will be stored,” explained Joly.
“It is possible that a person’s sample can be stored indefinitely in the company’s biobank (in the US), but what happens to a person’s data depends upon the consent a consumer provided to 23andMe for data usage. For those who have opted out of biobanking and research agreements, their data should be destroyed following initial processing and analysis. For those who initially opted in, the option to withdraw consent remains.”
This approach is very different compared to medical genetic testing, where a sample is destroyed once it has been processed and analyzed. “It is also different in that a report is drafted for a physician and goes to the physician and not necessarily the consumer themselves,” Joly said.
He added that, for DTC-GT customers, there are data protection laws that apply to their data, regardless of the country they are in.
But what happens if the company files for bankruptcy, like 23andMe?
“Beyond the protection granted by applicable US data privacy laws, it is the contractual privacy policy of the company that is most important to consider in this case,” Joly said. “While the privacy policy of 23andMe is among the better ones for a DTC-GT company, certain terms are formulated permissibly, and a subsequent buyer, even if bound to this policy, could interpret the agreement differently.”
In its statement announcing the bankruptcy, 23andMe said that “any buyer will be required to comply with applicable law with respect to the treatment of customer data”.
“While it is likely that the subsequent company will abide by this agreement, it is still advisable that a person request destruction of their sample,” Joly said.
This is because, in Joly’s opinion, while the risk is not huge, why take any unnecessary risk, given the unknown identity and dispositions of the future buyer?
The data breach and bankruptcy situation have brought to light the importance of customers being fully informed before agreeing to share their data. Joly noted that, typically, the general public are not aware of the privacy policies within DTC-GT companies.
“Most privacy policies are long, and people do not always read them. While the company’s policy is fairly clear, in general a person should be careful when granting a consumer testing company permission to retain their data or biological sample,” Joly said.
“Genetic data is a rich source of personal information, some of it – such as disease predisposition – is sensitive,” he concluded.
About the interviewee
Dr. Yann Joly (DCL), FCAHS, Ad.E., is the director of the Centre of Genomics and Policy at McGill University. He is a James McGill Professor at the Faculty of Medicine and Health Sciences, Department of Human Genetics. Joly is also an associate member of the Bioethics Unit and at the Law Faculty at McGill. He has a secondary appointment as adjunct professor at Yonsei University in South Korea. Joly was named advocatus emeritus by the Quebec Bar in 2012 and Fellow of the Canadian Academy of Health Sciences in 2017. Joly’s research interests lie at the interface of the fields of scientific knowledge, health law (biotechnology and other emerging health technologies) and bioethics.
