The well-known genetic testing company 23andMe recently announced its decision to file for bankruptcy, leaving numerous customers who have sent in DNA samples concerned about the fate of their genetic information.
Despite the bankruptcy proceedings, the company assures that the security and handling of customer data will remain unchanged. Nonetheless, privacy advocates are urging users to delete their genetic data from the company’s servers due to fears that a future buyer might gain access to this sensitive information or that hackers might exploit the company’s current state.
Cybersecurity expert Adrianus Warmenhoven emphasizes the gravity of the situation, stating, “Genetic data is essentially a blueprint of your biological identity. When a company faces financial turmoil, personal data becomes a valuable asset, and its mishandling can result in serious consequences.” As of Sunday, 23andMe has sought Chapter 11 bankruptcy protection. Anne Wojcicki, who co-founded the company nearly 20 years ago, resigned from her position as CEO immediately. The company aims to sell most of its assets through a court-approved reorganization plan.
A few weeks before her resignation, Wojcicki’s offer to take the company private was declined by a board committee. Nevertheless, she still intends to participate as a bidder during the sale process orchestrated through the bankruptcy proceedings. Wojcicki mentioned her decision to step down as CEO was strategic to position herself as an independent bidder.
In aligning with its Chapter 11 strategy, 23andMe seeks new ownership. The company intends to reduce its real estate footprint by requesting court approval to annul existing lease agreements in locations such as San Francisco and Sunnyvale, California, to manage expenses while maintaining operations.
Regarding customers’ genetic data, 23andMe claims that privacy remains a priority, assuring that any new owner will be legally bound to preserve data security and privacy. However, experts warn that legal protections have their limits, as the U.S. lacks a comprehensive federal privacy law, and only around 20 states have individual laws in place. Security risks are also a pressing concern; after all, a past data breach in 2023 exposed the genetic information of approximately 7 million users, compelling the company to agree to a $30 million settlement in response to a class-action lawsuit.
DNA data holds intrinsic value due to its sensitive nature. David Choffnes, a computer science professor at Northeastern University, said, “At a fundamental biological level, this data uniquely identifies you. Unlike changing an email address, you cannot simply alter your genetic code if compromised.” 23andMe reassures that data isn’t shared without user consent. However, Choffnes warns of the potential for indirect data use, such as for targeted advertising, which third parties might exploit to re-identify users.
California Attorney General Rob Bonta issued a consumer alert before the bankruptcy filing, advising that individuals have a right to request data deletion. Customers wishing to delete their data can do so by logging into their accounts and navigating through the settings to the “23andMe Data” section. Users can download a copy of their data before deleting it permanently, following the prompts for confirmation. Moreover, users can request the destruction of stored samples and manage consent settings for third-party research access.