The Demise of 23andMe: What You Should Know
The genetic testing company 23andMe has filed for bankruptcy and has put the company up for sale. And while filing for bankruptcy isn’t uncommon, there’s more at risk here. Since 23andMe collects and stores DNA samples for genetic testing of all sorts, that data is potentially on the sale block as well. That means the genetic information from the twelve million kits the company has sold. If you’re one of them, here’s what you should know before you act.
What 23andMe Says
23andMe has attempted to preempt these concerns through an open letter to their customers. They say that the bankruptcy filing doesn’t change how they store and protect the DNA samples sent in. However, there is no real legal precedent covering the transfer of genetic data. Unlike most sensitive data, you can’t change your genes.
Prior Data Breaches
There’s reason to be concerned. In 2023, hackers gained access to 6.9 million users’ genetic data; almost half of their total user base. A list of users with Ashkenazi Jewish heritage got posted to the dark web, potentially setting them up for antisemitic violence. No other information has leaked so far.
HIPAA Does Not Apply
But what about healthcare privacy rulings? Don’t they come into play? In a word, no. Rulings like the Health Insurance Portability and Accountability Act (HIPAA) only apply to doctors, insurance companies, and other medical businesses. 23andMe is not a medical company, but a commercial one. Direct-to-consumer dealings aren’t covered.
There is one federal law covering genetic data. The Genetic Information Nondiscrimination Act rules that employers and health insurance companies cannot discriminate based on genetic information. Eleven states have made their own genetic data laws. Those vary widely, so look up what your state may have in place.
How to Protect Your Data
If you want your genetic data removed from their database, the time is now. To delete your account, log into 23andMe’s site, go to the “settings” section, and click on “view” for your 23andMe data. Scroll down to the “delete data” and select the “permanently delete data” option. 23andMe will email your connected email address and ask you to confirm. Your data will be deleted and your saved genetic material discarded.
Removing Permission to Store Your Genetic Data
If you’re not ready to delete your account just yet, you can still protect your genetic information. To get your saved genetic information discarded, go into your account settings and change your preferences for your saved data. You can also remove permission for your genetic material to be used for research. 23andMe says that any research data has names and birthdates removed, but whether this will stay in place under new ownership remains to be seen.
A New World of Technology
Since genetic data storage is such a new thing, there are few laws about it. 23andMe’s bankruptcy filing has brought that lack into public view. Hopefully those concerns can be addressed by new legislation. Until then, take extra care to protect any data you have stored with the company.