23andMe Files for Chapter 11 Bankruptcy Amid Concerns Over Genetic Data Privacy
Genetic testing firm 23andMe, once valued at $6 billion and heralded as a leader in personal genetic testing, has filed for Chapter 11 bankruptcy protection as it seeks to facilitate a sale of its business. This decision came late Sunday, marking a significant shift for the company co-founded by CEO Anne Wojcicki in 2006, who has now stepped down following unsuccessful efforts to take the company private.
In light of this development, a growing cloud of uncertainty looms over the future of the company and, crucially, the vast repository of sensitive genetic data it holds. Privacy experts have consistently warned of the dual risks associated with entrusting such data to organizations—namely, the potential for inadequate protection and the possibility of customers’ information being transferred to entities that users may not trust.
California Attorney General Rob Bonta issued a consumer alert emphasizing that Californians possess the legal right to request the deletion of their data from organizations, including 23andMe. However, similar protections are not uniformly available to customers in other states or countries, although Washington state’s My Health My Data Act and the European Union’s General Data Protection Regulation do provide some rights to deletion of health-related data. Therefore, it is advisable that all 23andMe customers take proactive measures to download the data they wish to retain and initiate deletion of their accounts.
Andrea Downing, a security researcher and co-founder of The Light Collective, underscored the pressing need for stronger national health privacy laws in the U.S., noting that current protections are lacking for most consumers outside of California and Washington. She pointed to the ongoing evolution of understanding regarding the value and vulnerabilities associated with genetic information.
John Verdi, senior vice president of policy at the Future of Privacy Forum, observed that while a new owner may have the authority to alter privacy policies for fresh customers and data collection practices, the data already collected will remain bound by the existing terms. “The company has legal obligations regarding information collected under the current policies,” Verdi explained.
As the transition unfolds, researchers caution that this extensive shift could expose users’ data in ways beyond their control. Kenn White, a veteran security researcher and advocate for data privacy, remarked on the fragility of privacy policies in the context of acquisitions within the venture capital and private equity landscape. He urged users not to delay in requesting data deletions, as the implications for regular consumers could be significant.
To initiate the deletion of genetic data from 23andMe, customers should log into their accounts and navigate to the Settings section of their profile. From there, users can access the option to view their data, download a copy of it, and proceed to permanently delete it. If users have consented to the retention of their biological samples, they can direct 23andMe to destroy that material as well.
In the landscape of cybersecurity, this situation exemplifies the vulnerabilities associated with personal data retention and transfer. The tactics and techniques potentially at play here, as per the MITRE ATT&CK framework, include initial access through unauthorized data handling and persistence in maintaining control over consumer information post-acquisition. As we witness the fallout from 23andMe’s bankruptcy, the broader implications for genetic data privacy and security remain a critical concern for business owners and consumers alike.
