Edward Burns

23andMe

Privacy

The 23andMe Bankruptcy: What It Means for Your Personal Information

In March 2025, 23andMe, a pioneer in direct-to-consumer genetic testing, filed for Chapter 11 bankruptcy, raising alarm bells for its 15 million customers. The company, known for its at-home DNA kits that reveal ancestry and health insights, is now seeking a buyer, putting its massive genetic database—one of the largest in the world—up for sale. This development, coupled with a 2023 data breach that exposed the personal information of nearly 7 million users, has sparked serious concerns about the privacy and security of sensitive genetic data. Here’s what you need to know about the risks and how to protect yourself.

Why the Bankruptcy Raises Red Flags

When a company like 23andMe files for bankruptcy, its assets—including customer data—can be sold to the highest bidder as part of the restructuring process. Genetic data is uniquely sensitive: it’s a permanent blueprint of your biology, revealing details about your health, ancestry, and even your relatives. Unlike a password or credit card number, you can’t change your DNA. If this data falls into the wrong hands, the consequences could be far-reaching, from identity theft to genetic discrimination or exploitation.

The 2023 breach already exposed vulnerabilities, with hackers accessing names, email addresses, birth dates, family trees, and geographic locations of 6.9 million users. Some of this stolen data was offered for sale on hacking forums, targeting specific ethnic groups. The bankruptcy adds another layer of uncertainty, as a new owner could alter privacy policies or use the data in ways customers didn’t anticipate—like sharing it with insurers, employers, or law enforcement without robust safeguards.

Limited Legal Protections

One of the biggest issues is the lack of comprehensive federal privacy laws in the U.S. The Health Insurance Portability and Accountability Act (HIPAA) doesn’t apply to direct-to-consumer companies like 23andMe, which operate outside traditional healthcare settings. The Genetic Information Nondiscrimination Act (GINA) prevents employers and health insurers from discriminating based on genetic data, but it doesn’t restrict how companies can sell or share that data.

While 23andMe insists that any buyer must comply with its existing privacy policies and applicable laws, experts warn that a new owner could revise those policies. Customers might be asked to agree to new terms, often buried in fine print, without fully understanding the implications. Some states, like California, offer stronger protections under laws like the Genetic Information Privacy Act (GIPA) and California Consumer Privacy Act (CCPA), which allow users to request data deletion. However, these protections are patchwork and don’t apply nationwide.

Risks Beyond the Individual

The stakes aren’t just personal. If a relative used 23andMe, their data could reveal information about you, even if you never submitted a sample. Genetic data is inherently interconnected, linking family members through shared DNA. This makes it critical to consider the broader implications of leaving data with the company.

Cybersecurity experts also warn that bad actors could exploit genetic data for identity theft, tailored social engineering attacks, or even extortion. In a worst-case scenario, if the data is acquired by entities like insurance companies, it could be used to deny coverage or raise premiums based on predispositions to certain diseases. There’s also a national security angle: the House Committee on Oversight and Accountability has raised concerns about foreign actors, such as the Chinese Communist Party, potentially acquiring this data, citing China’s history of misusing genetic information.

What You Can Do to Protect Yourself

Given the uncertainty, privacy experts and officials, including California Attorney General Rob Bonta, are urging 23andMe customers to take immediate action. Here’s how to minimize your risk:

  1. Delete Your Data: Log into your 23andMe account, go to “Settings,” and navigate to the “23andMe Data” section. Select “Permanently Delete Data” and confirm the request via email. Be aware that 23andMe may retain some information, like genetic data, date of birth, and sex, to comply with legal obligations.
  2. Request Sample Destruction: If you opted to store your saliva sample, you can request its destruction through the same settings page. This ensures the physical sample isn’t transferred to a new owner.
  3. Revoke Research Consent: If you agreed to let 23andMe use your data for research, revoke this consent under “Research and Product Consents” in your account settings. Note that data already used in published research can’t be retracted.
  4. Stay Informed: Monitor 23andMe’s official communications for updates on the bankruptcy and sale process. If you’re in a state with strong privacy laws, like California or New Hampshire, contact your state’s Department of Justice for assistance with data deletion.
  5. Talk to Family: If relatives used 23andMe, encourage them to delete their data too, as their information could indirectly affect you.

A Wake-Up Call for Genetic Privacy

The 23andMe bankruptcy underscores a harsh reality: when you share your DNA with a private company, you’re entrusting it to an entity that may not prioritize your privacy, especially under financial duress. The lack of federal oversight leaves consumers vulnerable, and the interconnected nature of genetic data amplifies the risks.

If you’re considering a DNA test, weigh the benefits against the potential for your data to be sold, hacked, or misused. For current or former 23andMe users, acting now to delete your data and destroy your sample is the best way to limit exposure. As one cybersecurity expert put it, “You can’t change your password to your DNA.”

This situation is a stark reminder that genetic data deserves stronger protections. Until comprehensive privacy laws are in place, consumers must take proactive steps to safeguard their most personal information. Don’t wait—delete your 23andMe data today.

For more information, visit 23andMe’s customer care page or contact your state’s attorney general for guidance on privacy rights.

Sources:

  • The New York Times
  • NPR
  • Harvard Gazette
  • Reuters
  • Axios
  • Dark Reading
  • WMUR
  • The Conversation
  • NBC News
  • USA Today
  • The Guardian
  • The Washington Post
  • ABC News
  • Mercury News
  • CBS News
  • AP News
  • TIME
  • Bank Info Security
  • California Attorney General
  • CNBC
  • House Committee on Oversight
  • PBS News
  • Posts on X

sitemin

Leave a Reply

Your email address will not be published. Required fields are marked *