The Memo: 23andMe files for bankruptcy amidst concerns over consumers' genetic data

Consumer genetics company 23andMe has filed for Chapter 11 bankruptcy protection in the US. Established in 2006, 23andMe introduced consumer DNA test kits to the market, which can map ancestry, detect recessive gene disorders such as sickle cell anaemia and cystic fibrosis, and offer insights into health predispositions such as late onset Alzheimer’s. The company finally went public in 2021 and has over 15 million customers to date. 

To put it simply, 23andMe holds some of the most sensitive information: DNA. In fact, hackers were able to access the ancestry information of over 6 million users and even went on to attempt the sale of what they claim to be the data of 1 million users of Ashkenazi Jewish descent and 100,000 users of Chinese descent. Over 40 class action lawsuits swiftly followed, resulting in a blanket $30 million settlement and agreement to three years of security monitoring. There was a subsequent 40% reduction in workforce, and the biotech company has continued to struggle from the fallout ever since. What’s more, following a recent investigation into the breach, 23andMe will now face a £4.59 million fine from the UK’s Information Commissioner’s Office. 

In the United States, Chapter 11 bankruptcy allows companies to restructure their finances and operations, including the sale of assets, while operating business as usual. As such, 23andMe has stated: “The Chapter 11 filing does not change how we store, manage, or protect customer data. Our users’ privacy and data are important considerations in any transaction. [...] Any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data.” That said, following the announcement, website traffic surged to 526%, with users seeking to delete their data. 

The company’s headquarters and databases are both located in California and subject to Californian law, meaning that Americans are protected under the Genetic Information Privacy Act and the California Consumer Privacy Act. In fact, the Attorney General issued a consumer alert reminding customers of their rights.But what does this mean for UK and European customers? Well, businesses that operate outside the country but offer local services must still comply with strict GDPR regulations. So, customers in the UK, like their American counterparts, have the right to opt out of sharing results and to delete their genetic data.  

As for the sale itself, it’s worth noting that genetic testing companies are not protected under HIPAA (Health Insurance Portability and Accountability Act) – a set of strict privacy laws that regulate medical providers and insurers’ handling of data – as the law treats participants as consumers, not patients. This means that any potential buyers remain unclear, though AI startups and pharmaceutical companies could be in the running. Law enforcement could even get involved, as such DNA databases have solved cold cases such as the Golden State Killer. However, this again raises concerns regarding the use of consumers’ data under new ownership.