23andMe, the prominent direct-to-consumer genetic testing company, has filed for Chapter 11 bankruptcy, sparking significant concerns about the future of its customers’ sensitive genetic data. The filing aims to facilitate a court-supervised sale of the company’s assets while addressing mounting financial and legal challenges, including liabilities from a major data breach in 2023. As the company seeks a buyer, questions loom over how its vast repository of genetic information will be handled.

The bankruptcy filing, announced on March 23, 2025, follows years of financial instability for 23andMe. Once valued at $6 billion after going public in 2021, the company’s valuation has plummeted to under $50 million. 

Despite assurances from 23andMe that customer data will remain protected and that any buyer must comply with applicable privacy laws, experts warn that federal regulations offer limited safeguards for genetic data. This uncertainty is compounded by the company’s history of sharing anonymized data with pharmaceutical companies like GlaxoSmithKline for research purposes.

The bankruptcy filing has heightened concerns about the security and privacy of genetic data belonging to over 15 million customers. The company’s most valuable asset—its genetic database—could be sold to new owners as part of the restructuring process. Critics worry that a change in ownership might lead to altered privacy policies or misuse of sensitive information.

The risks are not hypothetical. In 2023, a cyberattack exposed personal information from nearly seven million accounts, including raw genetic data. Such breaches highlight how vulnerable DNA databases can be to hacking and misuse.

Steps Customers Can Take to Protect Their Data

Experts strongly urge customers to take proactive measures to safeguard their genetic information:

1. Delete Your Data: Customers can request the deletion of their genetic data through their account settings on 23andMe’s website. California residents, under state privacy laws, can also instruct the company to destroy any stored saliva samples.
2. Revoke Research Permissions: If you previously consented to your genetic data being used for research purposes, you can withdraw that consent through your account settings.
3. Monitor Privacy Policy Changes: Stay informed about any updates to 23andMe’s privacy policies, particularly if the company is acquired by a new owner.
4. Advocate for Stronger Regulations: Experts recommend urging lawmakers to enact robust federal privacy protections for genetic data. Current laws like the Genetic Information Nondiscrimination Act (GINA) do not fully address how private companies can use or sell such information.

There are limited legal protections in place for customers’ genetic data during a bankruptcy sale, leaving much of the responsibility to safeguard such sensitive information to the company and its privacy policies. Here’s an overview of the current legal landscape:

Federal Protections

• The Genetic Information Nondiscrimination Act (GINA) prohibits employers and health insurers from discriminating based on genetic information but does not prevent companies like 23andMe from selling or transferring genetic data during bankruptcy proceedings.
• The Health Insurance Portability and Accountability Act (HIPAA) applies only to healthcare providers and insurers, not direct-to-consumer genetic testing companies like 23andMe.

State-Level Protections

• States such as California have enacted laws like the California Consumer Privacy Act (CCPA) and Genetic Information Privacy Act (GIPA), which allow consumers to request the deletion of their genetic data and destruction of biological samples. However, these laws are limited to specific jurisdictions and do not offer nationwide protection.

Bankruptcy-Specific Safeguards

Bankruptcy law provides some oversight during asset sales:

• Federal courts oversee bankruptcy processes, and agencies such as the U.S. Trustee Program or regulators like the Federal Trade Commission (FTC) can intervene to ensure compliance with privacy statements.
• In some cases, a consumer privacy ombudsperson may be appointed to review whether data transfers align with existing privacy policies. However, these measures are not guaranteed and depend on the specifics of the case.

Risks in Bankruptcy Sales

The privacy policy of 23andMe reserves the right to transfer customer data in the event of a sale or bankruptcy. While any new owner must initially adhere to existing privacy policies, these policies can be modified after acquisition, potentially allowing broader use or sharing of genetic data without customer consent.