California Attorney General Rob Bonta has issued a reminder to patrons of the beleaguered biotech company 23andMe regarding their rights to manage and delete their genetic information. This advisory underscores protections established under California’s Genetic Information Privacy Act (GIPA) and the California Consumer Privacy Act (CCPA), particularly pertinent as 23andMe faces financial uncertainty and questions about its ability to continue operations.
The advisory, released on March 21, 2025, came shortly after 23andMe disclosed its dire financial straits, casting doubt on its ongoing viability. Just two days following this statement, the company announced its filing for Chapter 11 bankruptcy protection in the United States to facilitate the sale of its assets. According to Mark Jensen, the Chair and Member of the Special Committee of the Board of Directors, this decision was made after evaluating various strategic options and determining that a court-supervised sale represented the most effective method to optimize business value.
Compounding these challenges, 23andMe’s Co-Founder and CEO, Anne Wojcicki, announced her resignation on March 24, 2025, indicating her plans to approach the firm’s ownership as an independent bidder. This move takes place amidst a backdrop of past setbacks for the firm. Following a 2021 IPO that peaked the company’s valuation at approximately $6 billion, 23andMe encountered declining investor confidence, an inability to achieve profitability, and worsening market conditions.
In a bid to revitalize its strategy, the company appointed a board of independent directors in March 2024, and by July, Wojcicki proposed taking 23andMe private. This offer, however, was rejected, leading to the resignation of seven board members in September of the same year. Concurrently in March 2024, the company agreed to a $30 million settlement to compensate victims of a significant data breach that occurred in 2023, while it maintained a stance of not accepting any wrongdoing. This breach had compromised the genetic data of approximately 6.9 million users, predominantly based in the U.S.
In response to the cybersecurity incident, 23andMe committed to enhancing its data security measures, implementing mandatory multifactor authentication and bolstering protections against credential stuffing attacks, alongside annual security audits. However, organizational restructuring was necessary, and at the end of 2024, the company announced a significant workforce reduction of 40% from its 200 employees.
Bonta emphasized that California customers have specific rights concerning their data under GIPA and the CCPA. These rights include the ability to delete their genetic data from the company’s systems, to revoke consent for the utilization of their data in research contexts, and to destroy their genetic samples held by the company. Despite its financial turmoil, 23andMe has publicly stated that it is continuing operations normally and has not altered its protocols for managing or safeguarding customer data.
Amidst these developments, 23andMe is now valued at approximately $48.56 million, highlighting the significant financial plummet following its initial success. This situation places a spotlight on the challenges inherent in maintaining customer trust and robust cybersecurity protocols in an era increasingly marked by data breaches and heightened consumer expectations regarding privacy.
The potential exploitation of adversary tactics outlined in the MITRE ATT&CK framework becomes evident, especially concerning initial access and persistent threats that may have contributed to the data breach and subsequent fallout. As cybersecurity issues remain pervasive across industries, businesses must remain vigilant in protecting sensitive information and adhering to evolving state regulations.
