“What we’re witnessing with 23andMe is a stark wake-up call for data privacy,” said Adrianus Warmenhoven, a cybersecurity expert at NordVPN. “Genetic data isn’t just a bit of personal information — it is a blueprint of your entire biological profile. When a company goes under, this personal data is an asset to be sold with potentially far-reaching consequences."
What happened to 23andMe?
23andMe filed for Chapter 11 bankruptcy protection on Sunday. Anne Wojcicki, who co-founded the company nearly two decades ago and has served as its CEO, stepped down effectively immediately. The San Francisco-based company said that it will look to sell “substantially all of its assets” through a court-approved reorganization plan.
Wojcicki's resignation comes just weeks after a board committee rejected a nonbinding acquisition proposal from her to take the company private.
Wojcicki still intends to bid on 23andMe as the company pursues a sale through the bankruptcy process. In a statement on social media, Wojcicki said that she resigned as CEO to be “in the best position” as an independent bidder.
23andMe says that filing for Chapter 11 bankruptcy protection will help facilitate a sale of the company, meaning that it’s seeking new ownership. The company said it wants to pull back on its real estate footprint and has asked the court to reject lease contracts in San Francisco and Sunnyvale, California and elsewhere to help cut costs. But the company plans to keep operating during the process.
Is my DNA data safe?
In a post about the Chapter 11 process, 23andMe said its users’ privacy and data are important considerations in any transaction and that any buyer will be required to comply with applicable laws when it comes to how it treats customer data.
But experts note that laws have limits — for instance, the U.S. has no federal privacy law and only about 20 states do.
There are also security concerns. For instance, the turmoil of a bankruptcy and related job cuts could leave fewer employees to protect customers' data against hackers. It wouldn't be the first time — a 2023 data breach exposed the genetic data of nearly 7 million customers at 23andMe, which later agreed to pay $30 million in cash to settle a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed.
Experts note that DNA data is particularly sensitive — and thus valuable.
“At a fundamental biological level, this is you and only you,” said David Choffnes, a computer science professor at Northeastern University and executive director of its Cybersecurity and Privacy Institute. “If you have an email address that gets compromised, you can find another email provider and start using a new email address. And you’re pretty much able to move on with your life without problem. And you just can’t do that with your genetic code.”
23andMe says it does not share information with health insurance companies, employers or public databases without users' consent and with law enforcement only if required by a valid legal process, such as a subpoena. Choffnes said while that's good, it's a fairly narrow set of categories.
“There’s still other things that they are allowed to do with that data, including, as they mentioned, provide cross context, behavioral or targeted advertising,” he said. “So, you know, in a sense, even if they aren’t sending your personal data to an advertiser, there’s a long line of research that identifies how third parties can re-identify you from de-identified data by looking for patterns in it. And so if they’re targeting you with advertisements, for example, based on some information that they have about your genetic data, there’s probably a way that other parties could piece together other information they have access to.”
How can I delete my data from 23andMe?
California Attorney General Rob Bonta issued an urgent consumer alert Friday — before 23andMe filed for bankruptcy — noting the company's financial distress and reminding people they have the right to have their data deleted.
If you have a 23andMe account, you can delete your data by logging in and going to “settings” and scrolling to a section called “23andMe Data” at the bottom of the page. Then, click “View,” download it if you want a copy then go to the “Delete Data” section and click “Permanently Delete Data.” 23andMe will email you to confirm and you will need to follow the link in the email to confirm your deletion request.
If you previously asked 23andMe to store your saliva sample and DNA, you can also ask that it be destroyed by going to your account settings and clicking on “Preferences.” And you can withdraw consent to third-party researchers to use your genetic data and sample under “Research and Product Consents.”