BALTIMORE — A genetic testing company is filing for bankruptcy, raising serious privacy and data security concerns for millions of customers who sent in DNA samples.
"Your DNA is the key to amazing information about your health, ancestry, and traits," as 23andMe's marketing suggests.
The company unlocked this data trove for 15 million of its users, but now the concern is who else will have access as the company seeks to sell its assets in bankruptcy proceedings.
"The data is rich in terms of both your profile, in terms of who you are and your ancestry and all that, but also health information," said Dave Stuart, the senior director of product marketing for Sentra.
Sentra is a security platform helping companies protect its users' data, and Stuart said consumers' main concern should be this information falling into the wrong hands.
"Absolutely could be used for a wide range of fraud, impersonation and even just discrimination," said Stuart.
Health companies could potentially use this personal data to change insurance rates or possibly deny coverage. However, Stuart said HIPAA should provide some protections.
"It is protected by it, but again, depending on the acquirer and their sovereignty and their intentions, you know, the question is, could you fully trust that as your sole protection? I don't think so," said Stuart.
In a statement, 23andMe said they're committed to continuing to safeguard customer data and being transparent about the management of user data going forward. They added that data privacy will be an important consideration in any potential transaction.
Even so, more than 7 million people had their genetic information exposed in a data breach in 2023, proving it's difficult to safeguard this information. Other companies face the same challenge.
"I've been in security more than 25 years, and it's a constant arms race, and it's continuing. AI is accelerating that arms race in some ways," said Stuart.
The Maryland Attorney General is now recommending that consumers consider deleting their account and data through the company's website.
And even though some information may seem benign—including traits such as asparagus odor detection, cilantro taste aversion, fear of public speaking, or ice cream flavor preference—Stuart says this is a way for scammers to profile their victims then deceive and defraud.
"I would absolutely advise taking the action to delete it. At a minimum, go in and check on your settings and your profile about what permissions you're allowing. You may want to restrain those more critically or more severely during this period, until such time as it becomes clear ultimately, who will be the new owners," said Stuart.
A U.S. bankruptcy judge ruled 23andMe has the right to sell customers' medical and ancestry data to potential bidders. Offers will be due in May and a final hearing will be held in June.
Stuart also warns that scammers may use the bankruptcy news to send phishing emails. So before opening any emails claiming to be from the company, look closely at the sender's email and go directly to the company's website instead of clicking on any links.
The company website has details on how to delete your 23andMe account. You can submit your request in your Account Settings.
If you have any issues, you’re advised to email customercare@23andme.com or privacy@23andme.com.
“This story was reported by a journalist and has been converted to this platform with the assistance of AI. Our editorial team verifies all reporting on all platforms for fairness and accuracy.”