Following its recent bankruptcy filing, the future of 23andMe users' genetic data is now uncertain. The personal genomics and biotechnology company's customers are concerned about the privacy of their DNA samples and personal information.
The company insists that its data storage, management, and protection practices will remain unchanged. However, privacy experts are urging users to delete their data as a precaution. They fear that a new owner or malicious hackers could exploit sensitive user data during this transition.
Cybersecurity specialist Adrianus Warmenhoven from NordVPN warns, "23andMe's situation highlights the critical importance of data privacy. Genetic information is an intensely personal biological record. In a bankruptcy, this data becomes a salable asset, potentially leading to significant repercussions."
23andMe initiated Chapter 11 bankruptcy proceedings on Sunday. Simultaneously, co-founder and CEO Anne Wojcicki resigned from her position. The company, headquartered in San Francisco, intends to sell off most of its assets as part of a court-approved restructuring.
Wojcicki's departure occurred shortly after the board rejected her proposal to take the company private.
Despite her resignation, Wojcicki plans to bid on 23andMe during the bankruptcy sale. She stated on social media that stepping down as CEO puts her in a better position to make an independent offer.
23andMe anticipates that Chapter 11 will streamline the company's sale process, attracting new ownership. The company aims to reduce its real estate holdings and has requested court approval to terminate lease agreements in various locations to save money. However, 23andMe plans to continue its operations throughout the bankruptcy.
The company emphasizes that user privacy and data security are key considerations in any potential transaction, and any acquirer must adhere to relevant data protection laws.
Experts caution that legal protections have limits, especially since the U.S. lacks comprehensive federal privacy laws, with only about 20 states having such regulations.
Security vulnerabilities are a concern as well. The instability caused by bankruptcy and potential layoffs could weaken data protection measures against cyberattacks. A previous data breach in 2023 compromised the genetic information of nearly 7 million customers, resulting in a $30 million settlement in a class-action lawsuit that accused 23andMe of failing to secure customer data.
Experts emphasize the unique sensitivity and value of DNA data.
David Choffnes, a computer science professor and cybersecurity expert at Northeastern University, explains, "Your DNA is fundamentally and uniquely you. Unlike a compromised email address, which can be replaced, your genetic code is irreplaceable."
23andMe states that it does not share data with insurers, employers, or public databases without consent, and it only cooperates with law enforcement when legally required. Choffnes acknowledges these protections but points out their limitations.
He added, "The company can still use your data for targeted advertising, and research shows that seemingly anonymous data can be re-identified. Even if they aren't directly sharing your personal data, third parties could piece together information based on the ads you're shown."
California Attorney General Rob Bonta issued a consumer alert ahead of 23andMe's bankruptcy filing, reminding users of their right to delete their data.
To delete your 23andMe data, log in to your account, navigate to the "settings," find the "23andMe Data" section at the bottom, click "View," download a copy if desired, then select "Permanently Delete Data." 23andMe will send a confirmation email with a link to finalize the deletion.
Users can also request the destruction of their stored saliva samples and DNA in the account settings under "Preferences." Additionally, you can withdraw consent for third-party researchers to use your genetic information and samples under "Research and Product Consents."