The biotechnology company 23andMe has filed for Chapter 11 bankruptcy, putting the DNA data of millions up for sale.
Founded in 2006, 23andMe built a massive database of genetic information, promising to help people better understand their health and connect with potential relatives.
However, since the company filed for bankruptcy on Sunday, its genetic database is now set to be sold, raising serious concerns among privacy advocates and experts.
Tazin Khan, CEO of the nonprofit Cyber Collective, which advocates for privacy rights, warned that users “will have absolutely no say in where their [genetic information] ends up.”
She stressed that once a third party purchases the data, there’s no way to guarantee the impact won’t be catastrophic.
In a statement, Rob Bonta – the California Attorney General – provided instructions on how users can delete their genetic data from 23andMe and request the permanent removal of their test samples.
Before filing for bankruptcy, 23andMe used this data to assess users’ potential health risks—information many would prefer to keep private. In some cases, genetic testing data has also been used in criminal investigations involving users’ relatives.
Experts warn that if a malicious party gains access to someone’s genetic information, there’s no way to undo the damage. Unlike passwords or addresses, DNA cannot be changed.
A 23andMe spokesperson stated that the company will continue storing customer data as usual and will follow all U.S. laws.
However, attorney Andrew Crawford pointed out that there are almost no federal regulations on DNA data collected by biotech companies. He added that the U.S. lacks digital privacy laws, and medical data faces even fewer legal protections when held by a company rather than a medical professional.
Crawford explained that while the Health Insurance Portability and Accountability Act (HIPAA) regulates how health information is shared and stored in the U.S., it only applies when the data is held by a medical professional, such as a doctor or an insurance company.
He emphasized that genetic testing companies like 23andMe are not covered by these protections.
23andMe has also faced data breaches in the past.
In 2023, a hacker accessed genetic data from what 23andMe later admitted was 6.9 million users—nearly half of its total customer base at the time. The stolen data was then shared on the dark web, where individuals with Ashkenazi Jewish heritage were specifically identified and named.
Following the breach, 23andMe stated that protecting user privacy was a “top priority” and that they would continue investing in data security.
Experts warn that 23andMe’s bankruptcy and data sale should serve as a wake-up call about how easily personal information can be bought and sold without a user’s consent. People should also be aware that when they hand over their DNA to a company, they are risking their genetic privacy as the company’s ownership and policies can change at any time.
