The genetic testing giant 23andMe is teetering on the edge of collapse. Following a devastating 2023 data breach, a 99% drop in market value, and a series of high-level board resignations, the company is now facing potential bankruptcy. As the firm prepares for a court-supervised asset sale, roughly 15 million customers are left wondering about the security of their most intimate biological information.
The Collapse of a Pioneer
Once a high-flying tech darling, 23andMe has struggled to maintain profitability, failing to capitalize on its initial public offering in 2021. The situation deteriorated further after a massive security failure resulted in the theft of ancestry data belonging to nearly 7 million users. The company recently agreed to a $30 million settlement to resolve a class-action lawsuit linked to the breach.
Turmoil reached a fever pitch when founder and CEO Anne Wojcicki expressed intentions to take the company private, leading to the immediate resignation of all independent board members. With bankruptcy protection filed in March 2024, the company’s primary remaining asset—a massive repository of genetic data—is now being positioned for sale.
Why Your DNA Data is Vulnerable
Many users mistakenly believe their genetic information is protected by the Health Insurance Portability and Accountability Act (HIPAA). In reality, 23andMe is not a healthcare provider under HIPAA regulations. The company operates primarily under its own privacy policies, which are subject to change.
Under its current terms, 23andMe reserves the right to share, sell, or transfer user data during a merger, acquisition, or bankruptcy. While the company claims its policies would remain in effect post-sale, potential buyers may have different motivations. Reports indicate that the firm has previously pivoted its strategy toward monetizing its database for pharmaceutical research, raising alarms among privacy advocates.
The Electronic Frontier Foundation (EFF) has publicly warned against any sale that could grant third parties, including law enforcement, access to this sensitive information. Although 23andMe has historically resisted law enforcement requests, as documented in its transparency reports, a new owner might not share that commitment.
Steps to Protect Your Genetic Privacy
In response to the uncertainty, privacy experts and officials, including California Attorney General Rob Bonta, are urging customers to take proactive measures. Deleting your account is the primary way to mitigate future risks.
How to request data deletion:
- Log in to your 23andMe account.
- Navigate to Settings.
- Select Account Information.
- Choose Delete Your Account.
It is important to note that deletion is not a total “clean slate.” The company’s policy states that certain data—such as specific genetic records and identifiers required for legal compliance—may be retained. Furthermore, if you previously consented to participate in research, that data may have already been integrated into studies and cannot be purged. According to company data, approximately 12 million customers have participated in these research programs.
For those concerned about their digital footprint, the time to act is now. As Meredith Whittaker, president of the Signal messaging app, noted, the security of your biological data is not just an individual issue, but a concern for your entire family tree.