Data Privacy,
Data Security,
Healthcare
Lawmakers Question Executives on Security; State AGs Move to Halt Sale of Bankrupt Firm
In a significant legal development, twenty-eight state attorneys general have initiated a lawsuit aimed at preventing the upcoming sale of the bankrupt genetic testing company 23andMe. The state officials contend that the sale should not proceed without explicit consent obtained from each customer regarding the transfer of their sensitive data to any new owner.
Two entities are currently in contention to acquire 23andMe: Regeneron Pharmaceuticals, a biotech company, and TTAM Research Institute, a nonprofit medical research organization co-founded by Anne Wojcicki, the former CEO of 23andMe. Last month, Regeneron entered into a preliminary agreement to purchase the company for $256 million. However, a bankruptcy court recently allowed the auction to be reopened, creating an opportunity for TTAM Research to bid $305 million. Regeneron can respond with a counteroffer starting at $315 million.
The lawsuit filed by the state attorneys general coincides with a Congressional committee’s investigation, during which members scrutinized 23andMe’s data privacy and security measures. The inquiry zeroed in on a 2023 credential-stuffing incident that compromised the data of nearly 7 million users out of 15 million total customers. Lawmakers expressed concern over both consumer privacy and potential national security implications related to the transfer of sensitive genetic information.
During the Congressional hearing, committee members, aware of the states’ demands, pressured Wojcicki and Selsavage to offer more consumer control over data during the planned sale. Their inquiries encompassed the necessity for notifying customers about data consent before any transition to new ownership.
Despite 1.9 million individuals, representing approximately 15% of 23andMe’s user base, requesting data deletion since bankruptcy discussions began, some lawmakers criticized the complicity of the company in making this process cumbersome. Representative Ayanna Pressley highlighted operational flaws, stating that users faced difficulties logging into their accounts, encountering error messages and crashes while attempting to delete their data.
Testimony from Selsavage affirmed that notifications were sent to consumers, announcing the sale and outlining the current operational status of their data. However, he maintained that customer consent for data transfer was implicitly granted during the initial service agreement.
Key questions linger regarding the effectiveness of regulatory protections for genetic and biometric data. Despite existing laws like HIPAA and GINA, gaps remain that expose sensitive information to potential exploitation. Lawmakers, including Representative David Min, called for updated regulations to safeguard consumer health data more comprehensively.
As the implications of 23andMe’s bankruptcy unfold, experts emphasize the urgent need for legislative action to address both data privacy and cybersecurity vulnerabilities exacerbated by emerging technologies. The ongoing proceedings serve as a stark reminder of the challenges posed by inadequate oversight and the risks associated with handling sensitive genetic information, particularly in an environment increasingly defined by artificial intelligence and its implications for national security.
Amid these developments, there is a consensus that companies like 23andMe must bolster their data protection measures to prevent unauthorized access or manipulation of genetic data, especially in light of potential threats from foreign entities. Legislative leaders stress the importance of ensuring that no loopholes exist that would allow adversarial nations to exploit Americans’ genetic information for malicious purposes.
