Genetic Testing Firm 23andMe Bankruptcy Sparks Data Privacy Alarm
The DNA data of millions of users of genetic testing company 23andMe is potentially for sale as the firm enters bankruptcy and seeks buyers.
Since 2006, 23andMe, a prominent Silicon Valley company, has compiled a vast database of individuals’ fundamental genetic information. This accumulation was built on the premise of enabling users to understand their genetic predispositions to illnesses and potentially connect with relatives.
However, the company’s declaration of bankruptcy on Sunday now means this sensitive information could be sold, generating considerable apprehension among privacy specialists and advocates.
User Data at Risk in Bankruptcy Proceedings
Tazin Kahn, CEO of the nonprofit Cyber Collective, a group championing privacy rights and cybersecurity for marginalized communities, stated, “People have absolutely no control over where their data will end up.”
She further questioned, “How can we ensure that the future impact of whoever acquires this data will not be disastrous?”
California Attorney General Warns Users
California Attorney General Rob Bonta issued a public statement Friday alerting individuals to the potential sale of their data. In his announcement, Attorney General Bonta provided users with instructions on how to remove their genetic data from 23andMe, how to request the company to destroy their test sample, and how to withdraw consent for their data’s use in third-party research studies.
DNA Data: Highly Sensitive Information
DNA data is exceptionally sensitive.
Its primary application at 23andMe—mapping a person’s possible inherited health conditions—constitutes data that many individuals would prefer to remain confidential. Notably, genetic testing data has been subpoenaed in certain criminal investigations and utilized to aid inquiries involving individuals’ family members.
Irreversible Nature of DNA Data Breaches
Cybersecurity experts warn that unauthorized access to biometric data, such as DNA information, presents an intractable problem. Unlike passwords, addresses, or Social Security numbers, DNA cannot be altered if compromised.
23andMe Response and Regulatory Landscape
A 23andMe spokesperson indicated to NBC News via email that customer data storage practices would remain unchanged and that the company intends to adhere to all pertinent U.S. laws.
However, Andrew Crawford, an attorney at the nonprofit Center for Democracy and Technology, pointed out that genetic data legally obtained and held by technology companies faces minimal federal oversight to begin with.
He explained that the U.S. lacks a comprehensive general digital privacy law and that Americans’ medical data receives less legal protection when held by a tech firm compared to a healthcare professional.
HIPAA Limitations on Tech Companies
Crawford elaborated on the Health Insurance Portability and Accountability Act (HIPAA), noting that while it governs certain aspects of health data sharing and storage in the U.S., it primarily applies “when that data is held by your doctor, your insurance company, entities associated with healthcare provision.”
He added, “HIPAA protections generally do not extend to entities that possess IOT [internet of things] devices like fitness trackers, and, in many cases, genetic testing companies like 23andMe.”
Past Data Security Incident
There is a past instance of 23andMe losing control of user data.
In 2023, a security breach compromised the data of approximately 6.9 million individuals, which the company later confirmed represented nearly half of its user base at that time.
Subsequently, databases identifying individuals with Ashkenazi Jewish heritage appeared on a dark web hacker forum, with partial authentication confirmed by NBC News. 23andMe subsequently stated that safeguarding user data remained “a top priority” and pledged continued investment in system and data protection.
Call for Consumer Awareness
Emily Tucker, executive director of Georgetown Law’s Center On Privacy & Technology, emphasized that the potential sale of 23andMe data should serve as a critical lesson for Americans regarding the ease with which their personal information can be traded without their consent.
Tucker cautioned in an emailed statement, “People must recognize that entrusting their DNA to a corporation places their genetic privacy at the whim of that company’s internal data policies and practices, which are subject to change at any moment.”
“This poses considerable risks not only to the individual submitting their DNA but also to all their biological relatives,” she concluded.