UKRAINE - 2021/06/17: In this photo illustration, 23andMe logo of a biotechnology company is seen on ... More
DNA-testing pioneer 23andMe faced a reckoning on Sunday — and a whole lot of personal data was left hanging in the balance.
The genetic testing company that once held the vision of unlocking the secrets of our DNA filed for Chapter 11 bankruptcy, its valuation whittled down to a whisper of its former $6 billion peak. Co-founder and CEO Anne Wojcicki resigned, announcing plans to bid on the company herself, following failed attempts to take it private.
When 23andMe launched in 2006, it was positioned as a platform that would revolutionize how people understood their health and heritage, with a mission to “help people access, understand, and benefit from the human genome.”
For $99 and a vial of saliva, customers could discover secrets buried within their DNA — ancestral roots, genetic risks and even long-lost relatives.
The company amassed 15 million users, spawned a booming direct-to-consumer genomics industry and briefly touched a $6 billion valuation.
Then, after a catastrophic data breach, plummeting sales (the firm went public in 2021 but has never turned a profit) and a failed bid by Wojcicki to take the company private, 23andMe filed for Chapter 11 bankruptcy. The move is framed as a restructuring to “maximize business value,” but for millions of customers, it’s left to be seen whether their genetic blueprint could end up in the hands of an unknown buyer.
Anne Wojcicki/X
The Data Breach That Broke The Camel’s Back
The company’s bankruptcy filing comes after a string of setbacks including a massive data breach in October 2023 that exposed the genetic and personal information of nearly 7 million users.
The attackers reportedly targeted profiles with Jewish and Chinese ancestry, scraping family trees, health predispositions and even raw DNA sequences. A class-action lawsuit accused 23andMe of negligence, and the company settled for $30 million — but the reputational damage was irreversible.
“The threat actor was able to access less than 0.1%, or roughly 14,000 user accounts, of the existing 14 million 23andMe customers through credential stuffing,” the company confirmed in December that year.
In an open letter to customers on Sunday, 23andMe stated that its current data protection practices will remain in place.
“Your data remains protected," it stated. "Any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data."
However, legal experts warn that a potential sale could allow new owners to alter privacy policies, and privacy experts warn that a sale could shift control of one of the world’s largest troves of consumer genomics to an entity with different motives.
“I don’t think they ever built sufficient consent into people sending them information, saying, ‘We’ll do our best to protect it, but we can’t promise,’” Arthur Caplan, a professor of bioethics at the NYU Grossman School of Medicine, told ABC News.
“So, what you might have thought was safe and secure is clearly not, as the bankruptcy is making clear now, but hasn’t been from the beginning,” he added.
Unlike traditional medical data protected under HIPAA, genetic data shared with consumer companies like 23andMe lacks similar federal privacy safeguards.
“The problem is that HIPAA’s definition of covered entities and business associates means that when you have provided information, including your genetic data, not to a hospital system, not to a physician, but to a direct-to-consumer company like 23andMe, you are not covered by HIPAA,” according to I. Glenn Cohen, a legal scholar and professor at Harvard Law School.
“You are treated by the law essentially as a consumer, not as the patient," Cohen added, noting, "health privacy laws at the federal level won’t directly apply when you are dealing with a private company like 23andMe.”
Who Could Buy 23andMe — And What Would They Do With the Data?
Wojcicki, said she would bid on the company, has long positioned 23andMe as a bridge between consumers and medical research. The firm has lucrative partnerships with pharma giants such as GSK, which pay to mine its genetic database for drug development.
Enter a private equity firm, a data aggregator or even a foreign entity that could acquire 23andMe, and customer data could become a full-fledged commodity.
“We saw that 23andMe itself was subject to a massive data breach in 2023, and if the company that takes over the data lacks good data security, there’s a possibility of breach,” Cohen stated.
On Friday, California Attorney General Rob Bonta urged consumers to delete their genetic data, citing the company’s precarious financial state.
“Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company,” Bonta said.
However, while deleting a 23andMe account may seem like a clean break, genetic privacy experts caution that remnants of data may still exist. While the genomic information might be anonymized, that anonymization isn’t infallible, and cross-referencing data from other sources could re-identify individuals.
Under its current terms of service, 23andMe can share anonymized genetic data with third parties unless users opt out. Anonymization is often flimsy — studies show that even stripped of names, genetic profiles can be re-identified using public records.
“The company shares personal information with service providers and contractors for sample analysis, marketing, and analytics,” noted Cohen. “Also, the privacy statement reserves the company’s right to transfer customers’ personal information in the event of a sale or bankruptcy, and customers can’t protect their data from being accessed, sold, or transferred as part of that transaction.”
What Customers Can Do Now
As Wojcicki positions herself to regain control, she faces a mountain of legal and reputational challenges, with the future of 23andMe’s assets, including its genetic database, now in the hands of the bankruptcy court.
In the broader industry, the firm’s collapse has sent shockwaves through the direct-to-consumer genetic testing market, raising concerns over data privacy and security. Given past incidents and heightened awareness following 23andMe’s incidents, industry rivals like AncestryDNA, owned by Blackstone, and MyHeritage may now face tougher scrutiny over their data practices.
As the industry recalibrates in response, here’s how to mitigate your own risks:
- Delete your account and data: Users can request full erasure via 23andMe’s privacy portal. However, the company warns that some data may be retained due to legal obligations.
- Opt out of research: Disable “Data Sharing” in account settings to limit third-party access.
- Monitor for misuse: Enable two-factor authentication and watch out for phishing scams leveraging genetic info.
As consumers take steps to protect their data, the conversation around data privacy and corporate responsibility is perhaps only just beginning.
“There are a lot of reasons why people are curious about their ancestry or genetic information,” Cohen said.
“My hope is that this experience might also cause companies to be more privacy sensitive," Cohen added. "I would love to see a space where people can have their cake and eat it too, to get the information they want without feeling as though that information might put them at risk if there’s a bankruptcy and the like.”