(NewsNation) — After extended financial uncertainty and recent layoffs, 23andMe has filed for Chapter 11 bankruptcy, and CEO Anne Wojcicki, whose takeover bids failed, has stepped down.
The genetic testing company has the genetic data of more than 15 million customers — and California Attorney General Rob Bonta is warning users to purge their data sooner rather than later.
In a news release, Bonta said it is important to make use of “robust privacy laws” allowing customers to “take control and request that a company delete their genetic data.”
In a news release announcing the bankruptcy filing, 23andMe chair Mark Jensen thanked the company’s employees and assured the security of customer data.
Jensen said 23andMe is “committed to continuing to safeguard customer data and being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction.”
The company added in a letter to customers: “Any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data.”
About 80% of 23andMe’s customers agree to have their genetic data analyzed for medical research upon signing up for the service, NPR reported last year.
Despite the assurances from 23andMe, cybersecurity expert Aaron Rose, Office of the CTO at Check Point Software, says a potential sale at auction will still come with a substantial level of uncertainty for customers.
“The data privacy policies and agreements that we’ve always agreed to with 23and Me, are they transferable? What changes will [the buyer] make?” Rose said.
Even if the privacy policy remains the same and transfers over with the sale, Rose added that a new entity will have access to deeply personal information, and that comes with risk.
“How do I know that they have the appropriate cybersecurity measures in place? Right now no one knows who that’s going to be, so, unfortunately, at this point in time there’s more questions than answers,” Rose said.
While health care information is typically safeguarded under privacy laws, information acquired by direct-to-consumer companies — referred to as a “trove of sensitive consumer data” by Bonta — isn’t guaranteed that same protection.
“Personal data collected by 23andme has always been at risk,” Bringardner wrote in emailed commentary on Monday — pointing particularly to a 2023 data breach that compromised ancestral information for nearly 7 million 23andMe customers. He adds that litigation spanning from the aftermath of this breach helped drive up liabilities that eventually contributed to the current bankruptcy filing.
Last year, 23andMe agreed to pay $30 million in cash to settle a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in this breach. On Sunday, the company said that it plans to use bankruptcy proceedings to “resolve all outstanding legal liabilities” stemming from the October 2023 incident.
How to delete your data from 23andMe
Users can delete their data from 23andMe’s website by:
- Logging into their account
- Clicking on “Settings” under their profile
- Finding the “23andMe Data” section
- Clicking “View,” then “23andMe Data”
- Choosing the “Permanently Delete Data” selection
According to Bonta, 23andMe will then send a follow-up email allowing users to confirm their decision to delete their data.
If you want to take it a step further, you can delete your account altogether by:
- Scrolling to the “Account Information” section
- Selecting “Delete Your Account”
23andMe bankruptcy: Which states have genetic privacy laws?
Ten states — including California — have enacted privacy laws for direct-to-consumer genetic testing companies, according to a March 2024 article from the Future of Privacy Forum.
States include:
- Arizona
- California
- Kentucky
- Maryland
- Montana
- Utah
- Tennessee
- Texas
- Virginia
- Wyoming
NewsNation’s Ashley N. Soriano and The Associated Press contributed to this report.
