Healthcare and biotechnology company 23andMe (best known for their at-home genetic testing kits), has officially filed for Chapter 11 bankruptcy. The company, which has been utilized by millions of users all over the globe to determine their own genetic makeup and cultural backgrounds, is seeking a new asset buyer to purchase their entire stock of data. If you or someone you know has used 23andMe in the past, this means that your genetic material and associated information may be at risk.
Since the company’s products delve into familial heritage, there is also a potential for millions of people who have never even opted into the service to be doxxed by proxy. For now, there’s no confirmation on who will be purchasing the company’s data, nor what the new buyer plans to do with this information. Regardless, now seems like an ideal time to examine the possible ramifications of this breaking story, and outline some ways in which 23andMe users can protect their privacy moving forward.
What Happened to the Biotech Company?
Though 23andMe is experiencing significant financial issues as a corporation, it appears as though the company will continue to run nearly unimpeded. Per an official press release, co-founder Anne Wojcicki will be resigning from her position as CEO, though she plans to remain on the board while the California-based business searches for a buyer. Board of Directors spokesman Mark Jensen outlined the future of the company in a statement, explaining that the sale is being made to maximize 23andMe’s overall value, and does not represent an official end to all 23andMe operations. Despite going public with a valuation of $6 billion back in 2021, the company has faced significant financial hurdles, and struggled to turn a profit in recent quarters.
Even though the board of 23andMe plans to continue servicing their clients, the liquidation of the company means that user data could be sold to any number of public or private interests. The best case scenario will see the data being used for the same purpose as before – providing users with helpful info about their history, while scanning for any potentially harmful red flags like a previously unknown history of heart disease. The worst case scenario, however, could see healthcare companies using this data to deny claims for clients, police using genetic data to hunt down relatives of 23andMe users or predatory advertising agencies utilizing genetic data to aggressively market consumer drugs and other products. There are laws in place to regulate which companies can purchase sensitive consumer data and what they can do with it, though the transfer of data could leave the company wide open for leaks or other unforeseen circumstances.
Can You Delete Your 23andMe Data?
Since this sale has left so many 23andMe users with concerns about their privacy, several groups have taken to the web to encourage past users to delete their data entirely. There are options in place for those who wish to revoke access to their data’s third-party research aptitudes, but doing so can be difficult to navigate. Thankfully, sources such as California Attorney General Rob Bonta have provided step-by-step guidelines for sheltering your data as much as possible ahead of the sale. At this time, the best protection against any oncoming fallout from the 23andMe sale is a two-pronged approach. First, ask the company to destroy your DNA sample, then delete your account, along with all saved data. It is crucial to demand the company destroy your sample before deleting your account. The full guideline for completing both steps is as follows:
To ask 23andMe to destroy your DNA sample, begin by signing in and opening your account settings. From there, select “preferences,” and withdraw any previous consent for your DNA sample to be stored or used in 23andMe research. Before clicking save, be sure to also revoke consent for future research participation, by navigating to the “Research and Product Consents” tab. With that out of the way, return to the profile settings page, and scroll to “23andMe Data.” Here you can select View, then Delete Data and confirm by clicking “Permanently Delete Data.” This method may not be entirely foolproof, but it is the best defense against having your genetic data compromised in the upcoming sale.
Does HIPAA Cover 23andMe Data?
While there are certain guardrails in place to ensure your data is relatively safe, many medical professionals and consumer advocates feel that digital privacy laws are woefully underdeveloped. For starters, the Health Insurance Portability and Accountability Act (HIPAA), which normally regulates the way that health data is shared, does not apply to private entities such as 23andMe. Apparently, HIPAA only impacts the way that certified medical professionals such as doctors and nurses can handle your medical information, and does not typically attach to business entities like 23andMe or fitness trackers like the Apple Watch. This fact has been at the center of a great debate for some time now, especially in the wake of a 2023 data leak which saw hackers taking access of 23andMe servers and compromising the health information of nearly seven million individuals.
Even before 23andMe announced their bankruptcy, the company was being investigated by multiple attorneys general who allege that the operation was culpable in a leak which resulted in millions of users being identified on dark web forums. Some of these forums included hate groups which sought to victimize people based on their ethnic and racial heritage, which highlights just how dangerous 23andMe’s data can be when it gets into the wrong hands. As news surrounding the sale and impending business changes continues rolling in, we’ll be sure to keep you updated on the status of user data and similar privacy laws.
