The recent Chapter 11 bankruptcy filing of 23andMe, a leading provider of genetic testing services, has ignited significant concern within the cybersecurity and privacy communities. With over 15 million DNA samples collected over two decades, the critical question that arises is: what happens to this highly sensitive genetic data during and after the bankruptcy proceedings? This blog post aims to explore the multifaceted risks, implications, and necessary measures for safeguarding personal genetic information amid the unfolding scenario.

Understanding the Bankruptcy Context

In March 2025, 23andMe announced its intention to file for Chapter 11 bankruptcy as part of a strategy to divest its assets after enduring years of financial turmoil. The company’s market value, which once soared to approximately $6 billion during its IPO in 2021, has plummeted amidst rising investor skepticism and operational struggles. Acknowledging this reality, the company stated its goal is to “maximize the value of the business” through a court-supervised asset sale. However, this move raises immediate questions regarding the stewardship of customer data, especially given the background of security vulnerabilities that the firm has faced, including a significant data breach in 2023 that exposed the data of nearly 7 million users.

Data Stewardship Risks and Concerns

As highlighted by security experts, the integrity of genetic data is inherently fragile. Gabrielle Hempel of Exabeam emphasizes that genetic data cannot be effectively anonymized or obfuscated, making any potential mismanagement or sale during bankruptcy particularly concerning. This view is echoed by industry leaders like Aditya Sood of Aryaka, who warns that genetic profiles could be exploited for malicious purposes, including identity theft and medical fraud.

Given the potential for data exposure during bankruptcy proceedings, questions surrounding data ownership and control become paramount. Gal Ringel, CEO of Mine, points out that the circumstances involve not only the responsibility of 23andMe but also a broader, systemic issue of trust related to personal data handling that the biotech industry must address.

Regulatory Landscape and Data Protection Rights

Adding to the complexity are the legal frameworks governing genetic data in the U.S. and abroad. California’s Genetic Information Privacy Act (GIPA) and the California Consumer Protection Act (CCPA) provide consumers with the right to request the deletion of their genetic data. This has prompted the California Attorney General to advise 23andMe customers to initiate data deletion as a precautionary measure. The Attorney General’s recommendations stress that customers can also revoke consent for their genetic data to be used in research, which is especially pertinent given the uncertain future of the company.

Internationally, under the EU’s General Data Protection Regulation (GDPR), genetic data qualifies as a special category of personal data, affording it the highest level of protection. Tilo Weigandt of Vaultree reminds users in the UK and EU to regularly monitor developments regarding 23andMe’s asset sale and to exercise their rights under these laws proactively.

The Risk of Data Misuse

Security experts raise valid concerns regarding the possible misuse of genetic data if it falls into the hands of opportunistic buyers, potentially including third-party insurers or data brokers. There is a legitimate fear that such entities could leverage this sensitive data for purposes ranging from discriminatory insurance practices to unauthorized profiling in violation of both ethical and legal standards. Organizations like the UK’s Information Commissioner’s Office (ICO) have stressed the necessity for strict governance and compliance with data protection laws to mitigate these risks.

Recommendations for Customers

In light of these circumstances, 23andMe customers should consider taking the following steps to protect their data:

1. Review Data Sharing Permissions: Customers should revise their consent settings regarding data sharing for research or third-party use. Users can find these settings in their account settings under privacy options.

2. Initiate Data Deletion: It is prudent to delete genetic data and test samples if individuals feel uncomfortable with the management of their information. The process involves logging into the user account and following the outlined steps to ensure successful deletion.

3. Stay Informed: Monitoring communications from 23andMe and regulatory bodies can provide vital updates regarding the handling of user data as the bankruptcy proceedings unfold.

Conclusion: A Call for Enhanced Data Governance

The circumstances surrounding 23andMe’s financial struggles serve not only as a cautionary tale for consumers but also as a rallying cry for the biotech sector to rethink its approach to data governance. Genetic data, given its immutable and deeply personal nature, warrants treatment that is fundamentally distinct from other forms of personal information.

Policymakers and industry leaders must advocate for specific regulations that prioritize the secure handling of genetic data, including enforceable rules around portability, retention, deletion, and transfer rights. Additionally, there is a pressing need for organizations involved in genetic research and data management to adopt strict privacy controls and a zero-trust security framework to fortify their defenses against potential misuse.

As the Justice Department, state regulators, and the public watch closely, the implications of 23andMe’s fate extend far beyond one company’s operational failures; they touch on critical issues of ethical data stewardship that reverberate throughout the industry. This is an opportunity for all stakeholders to address these vulnerabilities and lay the groundwork for a more secure, trustworthy future in the realm of genetic data management.