New York Attorney General Letitia James has urged 23andMe customers to delete their genetic data, warning of potential privacy risks as the DNA testing firm files for bankruptcy. The company, which has amassed the genetic information of over 15 million users, faces an uncertain future, sparking concerns over how its data might be handled by a potential new owner.
Consumers have taken to social media to share account deletion tips, fearing that their sensitive DNA profiles could be sold as part of the company’s assets. While 23andMe has insisted that its bankruptcy will not affect data security, experts warn that the company’s promises may not hold under new ownership.
Founded in 2006, 23andMe initially gained popularity for its ancestry and health risk analysis services. In 2021, it went public with a $3.5 billion valuation, aiming to pivot into drug research. However, declining consumer demand, economic pressures, and a massive data breach in 2023 left the company financially unstable.
Privacy risks and legal uncertainty
Despite assurances from 23andMe that customer data will remain protected, cybersecurity and legal experts remain skeptical. Arthur Caplan, head of the Division of Medical Ethics at NYU Grossman School of Medicine, warned that a bankruptcy sale could override previous data protection commitments. “If someone buys its assets, those promises of confidentiality go out the window,” he said.
Unlike the European Union, the U.S. lacks comprehensive federal data privacy laws. DNA testing companies like 23andMe are not covered under the Health Insurance Portability and Accountability Act (HIPAA), meaning genetic data is not protected in the same way as medical records. Legal experts caution that new ownership could change privacy policies without giving users a chance to opt out.