DNA testing company 23andMe has filed for bankruptcy. What does that mean for your data?

Genetic testing company 23andMe announced on Sunday that it has filed for bankruptcy due to low demand for its ancestry kits and after a 2023 data breach damaged its reputation.

The company, which has over 15 million customers worldwide, said it voluntarily filed for Chapter 11 bankruptcy to “facilitate a sale process to maximize the value of its business.” 23andMe is seeking authorization from a bankruptcy court in Missouri to “sell substantially all of its assets.”

The company’s market value peaked at almost $6 billion after it went public in 2021, but 23andMe reported a 7% decline in revenue and losses of $174 million in the first nine months of its current fiscal year.

The direct-to-consumer company has customers submit a saliva sample for their DNA to be analyzed either for ancestry purposes, family traits or for potential health risks. Part of the reason for the company’s decline in earnings is due to waning interest in its testing kits.

In 2023, hackers gained access to personal information from roughly 14,000 user accounts over a span of five months that appeared to target Jewish and Chinese users, which alarmed customers and heightened concern about the privacy of their data. It dealt a major blow to the company’s reputation and prompted a class-action lawsuit that claimed the company did not protect users' personal information and failed to notify customers of the breach.

23andMe settled the lawsuit in December 2024, and agreed to establish a $30 million fund for cash payments and three years of security monitoring for affected customers.

The company also announced Sunday that its co-founder and CEO Anne Wojcicki is resigning from her role effective immediately after a failed attempt to take the company private, but will continue to serve on the board. The company plans to continue operating through the sales process and CFO Joe Selsavage will replace Wojcicki as interim chief executive.

Concerns have since arisen that a transfer of the company’s ownership could mean that a user’s most sensitive genetic data could end up in unknown hands.

What the company has said about the safety of customers’s data

“There are no changes to the way the Company stores, manages, or protects customer data,” 23andMe said Sunday.

Additionally, Mark Jensen, chair and member of the special committee of the board of directors at 23andMe said, “We are committed to continuing to safeguard customer data and being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction.”

Why a customer’s 23andMe data isn’t protected under HIPAA laws

The Health Insurance Portability and Accountability Act, known as HIPAA, is a law that protects a person’s private health information from being shared without the person’s knowledge or consent.

However, HIPAA only protects that type of information when it’s provided to an entity like a hospital system, physician health plans or billing companies that conduct business with them. 23andMe is not subject to HIPAA regulations because it’s a direct-to-consumer company outside of the health care realm. The person is treated as a consumer rather than a patient.

“That means that as long as their terms of service don’t specifically prohibit it, these companies can conduct research on your genetic data, sell it, or share it with third parties,” James Hazel, a postdoctoral researcher at the Law Centre for Health and Life at the University of Amsterdam in the Netherlands, told Consumer Reports.

What could happen to the data if the company is sold

A person’s genetic information could be used to their (or a relative's) detriment. For example, Mason Marks, a visiting professor at Harvard Law School, told Consumer Reports that a worst-case scenario could be “an employer or insurance company might find you have a predisposition to develop early onset Alzheimer’s, cancer, mental illness, or substance use disorder, and discriminate against you based on that.”

But isn’t that illegal? The Genetic Information Nondiscrimination Act of 2008 prohibits discrimination in a person’s employment and health insurance based on a person’s genetic makeup.

“Though that doesn’t mean it couldn’t happen,” Consumer Reports says.

Or if 23andMe ends up being bought by a pharmaceutical company, the user could be targeted with ads based on results from their genetic tests.

When it comes to law enforcement, 23andMe does not allow authorities to search their database. “Unless required to do so by law, we will not release a customer’s individual-level Personal Information to a law enforcement agency without asking for and receiving that customer’s explicit consent,” the website states. “More specifically, we will closely scrutinize all law enforcement requests and we will only comply with court orders, subpoenas, or search warrants that we determine are legally valid — we are prepared to exhaust available legal remedies to protect customer privacy.”

The California attorney general is urging consumers to delete their 23andMe data. Here’s how to do that.

California Attorney General Rob Bonta issued a consumer alert on Friday to 23andMe users and provided instructions on how to delete genetic data from their accounts, how to instruct the company to delete their test sample and revoke permission for genetic data to be used for research.

“I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company,” Bonta said.

The 23andMe website states: “We recommend downloading any Personal information from within your Account Settings before submitting your deletion request.”

The company provides a guide on how to download your data and has told CNET that some of the downloads can be delivered right away, while other files can take up to 30 days.

If a user opted for 23andMe to store their saliva sample and DNA, the user can change that by going to the account settings page under “preferences.”

Here’s how users can delete their account and personal information:

1. Log into your 23andMe account and go to the “Settings” section of your profile

2. Scroll to a section labeled “23andMe Data” at the bottom of the page

3. Click “View” next to “23andMe Data”

4. Scroll to the “Delete Data” section

5. Click “Permanently Delete Data”

6. Confirm your request: You’ll receive an email from 23andMe; follow the link in the email to confirm your deletion request

"If a customer opted in to 23andMe Research, their Personal Information will no longer be used in any future research projects," a 23andMe spokesperson told CNET. "Please note, data cannot be removed from research that's already been conducted."