What would happen to your personal and genetic data if the company you trusted with it shuts down?
A new paper published in the New England Journal of Medicine raises serious concerns about what might happen to the sensitive data of millions of customers if 23andMe, a popular DNA testing company, goes bankrupt or gets sold.
Since its launch in 2007, 23andMe has attracted over 14 million customers who mailed in saliva samples to learn more about their ancestry and health.
At its peak in 2021, the company was valued at $6 billion.
But after a major data breach in 2023 and the resignation of some board members, its value has plummeted to just $48 million.
In January 2024, the company announced it is exploring “strategic alternatives,” such as selling the company or its assets, restructuring, or merging with another business.
Your genetic data is a valuable asset
If 23andMe goes bankrupt, your genetic data might be sold to another company. This is worrying because many customers may not have expected their personal information to end up in the hands of someone else.
- Glenn Cohen, a Harvard Law professor and co-author of the paper, explains that this kind of data is highly valuable. Many customers shared their DNA out of curiosity or for health reasons, but in doing so, they helped create massive genetic databases.
These databases could be sold as company assets, and consumers might have no control over what happens to their data next.
What could go wrong?
One concern is data security. If a less responsible company buys the data, there’s a higher chance of a future data breach. Even 23andMe suffered a massive hack in 2023.
Another issue is the risk of being reidentified from supposedly anonymous data. For example, researchers once used genetic data to look for genes linked to being gay, which upset many people who had no idea their data could be used this way.
Cohen warns that while customers chose to share their data with 23andMe, they don’t have much control over what happens if the company fails or is sold.
Do health privacy laws protect you?
Surprisingly, HIPAA (the main U.S. health privacy law) doesn’t cover companies like 23andMe. That’s because HIPAA only applies to healthcare providers and insurers—not direct-to-consumer DNA testing companies. So when you use 23andMe, you’re treated more like a customer than a patient.
Other laws, like the Genetic Information Nondiscrimination Act (GINA), protect against certain types of discrimination based on your DNA—such as being denied health insurance or a job—but they don’t cover all privacy issues.
What protections does 23andMe offer?
23andMe’s privacy policy allows customers to choose whether or not their data is used for research. Around 80% of users have agreed to share their data. The company promises not to sell personal information to insurers, employers, or law enforcement without legal orders. However, it does share data with service providers for tasks like sample analysis and marketing.
Importantly, the company reserves the right to transfer data if it is sold or goes bankrupt. That means your data could be passed along to another company without your permission.
There are some safeguards. Bankruptcy is a public process, and agencies like the Federal Trade Commission or state attorneys general can get involved. A court may also appoint a privacy ombudsperson to make sure any sale of data follows the company’s own privacy rules and legal guidelines.
Still, Cohen says these protections aren’t perfect. Most people don’t think about the risks when they hand over their DNA, and that needs to change.
Cohen and his co-authors say it’s time for the U.S. to update privacy laws to protect genetic data better—especially in situations like bankruptcy. They suggest expanding HIPAA or GINA, or creating new laws to address these modern issues.
If you’re a 23andMe customer and worried about your data, consider:
- Not giving consent to share your data for research.
- Deleting your account and asking the company to remove your information (though this isn’t a perfect solution).
- Thinking carefully before using similar services in the future.
There are many good reasons to be curious about your DNA. But with the uncertain future of companies like 23andMe, it’s more important than ever to protect your genetic privacy.
