Remember 23andMe? The company that gave customers saliva-based DNA testing kits to learn about their ancestry?
Founded in 2006, the company also conducted health research and drug development. But it struggled to find a profitable business model and eventually filed for Chapter 11 bankruptcy protection back in March, raising concerns about the safety of customer data.
Well, 27 states and the District of Columbia on Monday filed a lawsuit in bankruptcy court seeking to block the sale of the company’s archive of genetic data without customer consent. The lawsuit comes as a biotechnology company seeks court’s approval to buy the struggling firm.
If you were a customer of 23andMe, you’re probably wondering what is going on with your data. It turns out you do have options if you want to protect your genetic self.
What happened to 23andMe?
23andMe filed for Chapter 11 bankruptcy protection back in March. Anne Wojcicki, who co-founded the company nearly two decades ago and served as its CEO stepped down. The San Francisco-based company said that it would look to sell “substantially all of its assets” through a court-approved reorganization plan.
Wojcicki intends to bid on 23andMe as the company pursues a sale through the bankruptcy process. In a statement on social media, Wojcicki said that she resigned as CEO to be “in the best position” as an independent bidder.
23andMe said that filing for Chapter 11 bankruptcy protection helps facilitate a sale of the company, meaning that it’s seeking new ownership. The company said it wants to pull back on its real estate footprint and has asked the court to reject lease contracts in San Francisco and Sunnyvale, California, and elsewhere to help cut costs. But the company plans to keep operating during the process.
I used the service, is my DNA data safe?
In a post about the Chapter 11 process, 23andMe said its users’ privacy and data are important considerations in any transaction and that any buyer will be required to comply with applicable laws when it comes to how it treats customer data.
But experts note that laws have limits. For one, the U.S. has no federal privacy law and only about 20 states do.
There are also security concerns. For instance, the turmoil of bankruptcy and related job cuts could leave fewer employees to protect customers’ data against hackers. It wouldn’t be the first time — a 2023 data breach exposed the genetic data of nearly 7 million customers at 23andMe, which later agreed to pay $30 million in cash to settle a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed.
Experts note that DNA data is particularly sensitive — and thus valuable.
“At a fundamental biological level, this is you and only you,” said David Choffnes, a computer science professor at Northeastern University and executive director of its Cybersecurity and Privacy Institute. “If you have an email address that gets compromised, you can find another email provider and start using a new email address. And you’re pretty much able to move on with your life without problem. And you just can’t do that with your genetic code.”
23andMe says it does not share information with health insurance companies, employers or public databases without users’ consent and with law enforcement only if required by a valid legal process, such as a subpoena. Choffnes said while that’s good, it’s a fairly narrow set of categories.
“There’s still other things that they are allowed to do with that data, including, as they mentioned, provide cross context, behavioral or targeted advertising,” he said. “So, you know, in a sense, even if they aren’t sending your personal data to an advertiser, there’s a long line of research that identifies how third parties can re-identify you from de-identified data by looking for patterns in it. And so if they’re targeting you with advertisements, for example, based on some information that they have about your genetic data, there’s probably a way that other parties could piece together other information they have access to.”
How can I delete my data from 23andMe?
California Attorney General Rob Bonta issued an urgent consumer alert before 23andMe filed for bankruptcy — noting the company’s financial distress and reminding people they have the right to have their data deleted.
If you have a 23andMe account, you can delete your data by logging in and going to “settings” and scrolling to a section called “23andMe Data” at the bottom of the page. Then, click “View,” download it if you want a copy then go to the “Delete Data” section and click “Permanently Delete Data.” 23andMe will email you to confirm and you will need to follow the link in the email to confirm your deletion request.
If you previously asked 23andMe to store your saliva sample and DNA, you can also ask that it be destroyed by going to your account settings and clicking on “Preferences.” And you can withdraw consent from third-party researchers to use your genetic data and sample under “Research and Product Consents.”
