After a hack exposed the data of millions of its customers, the at-home genetic testing giant 23andMe has faced financial difficulties and may now need to sell off your data to survive.
Since its launch in 2006, genetic testing company 23andMe has sold over 12 million direct-to-consumer DNA testing kits. The company provides information about people’s ancestry and disease risks — including the ApoE4 genetic variant that can determine Alzheimer’s risk.
But last year, data from millions of its customers was hacked, leaving the company’s financial future uncertain. Now, some analysts believe customer data could be at further risk.
“As it turns out, the company’s servers were not hacked — rather, hackers targeted hundreds of individual user accounts — allegedly those that had repeated passwords,” Ignacio Cofone, an associate professor of law at McGill University, wrote at the time. “After gaining access to the accounts, hackers could leverage the ‘DNA relatives matches’ function of 23andMe to get information about thousands of other people.”
Then, in November, 23andMe let go of 40 percent of its workforce and shut down a department that researched new treatments based on that user data. The company’s CEO wants to delist the company from the stock market to keep it running. Even after these steps, however, experts say it could still become insolvent. Some are concerned it will be sold to the highest bidder.
The company’s privacy policy is prepared for that possibility; it states that it can share user data with a third party if the company is “involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets” and that “information may be accessed, sold or transferred as part of that transaction.”
This isn’t the first data privacy scare for consumers who used at-home genetic testing kits. Earlier this year the BBC reported that another genetic testing company, Atlas Biomed, disappeared without telling its customers what happened to their data, and reporters could not reach anyone at the company for an explanation.
Understanding the real risks involves taking a look at existing laws.
Can insurance companies use genetic data against you?
In 2008, the US Genetic Information Non-Discrimination Act (GINA) was signed into law to protect people from genetic discrimination, meaning employers can’t decide to fire someone based on their genetic data alone, and likewise, health insurance companies can’t raise premiums based on someone’s genetic profile.
However, the law only deals with employment and health insurance. It doesn’t apply to disability or long-term care insurance. Neurologists Dr. Madhav Thambissetty and Dr. Robert Howard raised concerns about this in a 2023 joint op-ed published in the journal JAMA Neurology, in which they noted that ApoE4 carriers were more than twice as likely to change their long-term insurance coverage than non-carriers.
If 23andMe sells off its data to other companies, insurance firms could gain access to this information and charge steeper premiums to ApoE4 carriers or deny them insurance coverage altogether, even though many people with the ApoE4 gene never develop Alzheimer’s disease.
In addition, ApoE testing inadvertently discloses the status of children and other family members, who in turn could also be affected by insurance decisions.
Stanford Law Professor Hank Greely doesn’t think consumers should panic at the thought of an another insurance company getting its hands on their genetic data. “There’s not that much bad that can happen” to most people, he told Being Patient.
Not many older Americans have disability or long-term care insurance to start with, he pointed out. It’s already expensive — and providers deciding to hike their rates for people with certain genetic biomarkers could trigger what he called a “death spiral” for the industry.
A Stanford Law Professor on Genetic Testing: Who Owns Your Data?
Can you delete your data from 23andMe?
If the possibility of another company obtaining genetic data is still unsettling, experts note that it’s possible to get genetic testing companies to delete some of the data they’ve collected — and this is a legal requirement in some states.
“If you have participated in [23andMe], and you’re concerned that the company is going to be sold to a company that you don’t like, you can ask them to have your data deleted,” Jonathan LoTempio, a researcher at the University of Pennsylvania who studies the ethics of genetic testing, told Being Patient.
Once the data is deleted from the company’s store, they can no longer access it. And LoTempio doesn’t believe that the next company that owns 23andMe could recover it.
At the same time, this data is indeed valuable, advancing the world’s understanding of genetics, and 23andMe was a part of building that broader understanding.
“23andMe included a lot of people who wouldn’t necessarily have participated in research, and because of that, they have a really unique data resource,” LoTempio said.
What happens to all that genetic data now?
Even if 23andMe no longer has the data, it could still be useful in research.
“Large DNA databases hold tremendous potential to advance medicine, offering statistical power for breakthroughs in linking genetics and disease,” Dov Greenbaum and Mark Gerstein wrote in a recent op-ed for The Hill. “Private companies like 23andMe have often outpaced public efforts in scale and speed.”
But as Greenbaum and Gerstein point out, consistent regulation and sustainable business models are crucial to this industry. Without those things, they say, “these advancements risk being overshadowed by privacy breaches and eroding public confidence. With clear, enforceable regulations, the potential sale or acquisition of the 23andme data would be far less perilous, ensuring that the benefits of genomic research are achieved without compromising personal security or trust.”
At this point, LoTempio suggests that, for example, an entity like the federal government could step in and purchase the data for use by the National Institutes of Health.
If 23andMe is ultimately sold, LoTempio thinks it’s important people can still contribute their genetic information to research. He suggests that people concerned about 23andMe selling their data can request a copy of their genomic information, download it, and then ask the company to delete it. They could then see if researchers at another university would be willing to study it instead.
But overall, his take-home for those considering genetic testing is: Be wary about who you give permission to store your genetic data, as there’s no way to tell whether a company will keep that data safe.
“I think that people should be really careful,” LoTempio said. Unlike a lost or stolen credit card, “you can’t be issued another genome.”