23andMe Bankruptcy: Understanding the Risks

Estimated Reading Time: 3 Minutes

The recent bankruptcy filing of 23andMe has sparked significant concerns regarding the security and privacy of personal genetic data. With over 15 million customers entrusting their sensitive information to the company, questions arise about how such data will be handled during and after the bankruptcy proceedings. Worth noting, too, is that the company suffered a data breach in 2023 which affected approximately 7 million users. 

Understanding the Risks

Genetic data is among the most intimate forms of personal information, revealing details about one's lineage, health predispositions, and familial connections. The potential misuse of such data – ranging from unauthorized sharing to exploitation by third parties – poses significant risks. The uncertainty surrounding 23andMe's future amplifies these concerns, as the fate of its extensive genetic database remains unclear.

23andMe’s privacy statement reads, in part: “If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction.” This leaves much to the imagination and is not quite the confidence-inspiring statement consumers might hope for when entrusting a company with their most sensitive data.

Proactive Steps to Protect Your Data

California Attorney General Rob Bonta issued a consumer alert on Friday urging Californians to consider deleting their genetic data from 23andMe’s website. The alert provides step-by-step instructions for 23andMe customers to delete their data, which will trigger a request to the company for your data to be deleted. Importantly, though, if you do decide to go this route, ensure that you download the information you’d like to keep before deleting it (after all, at some point, having access to this kind of information about yourself was paid for and wanted).

If you're a 23andMe customer concerned about your data privacy, here are some proactive measures you can take to protect yourself:

1. Log into your 23andMe account and opt out of data sharing for research or third-party access if you haven’t already (this is under privacy settings).
   
   
2. Request to have your data deleted, as mentioned above. It’s not clear how long it is taking for these requests to go through, so it’s best to initiate it as soon as possible.
   
   
3. Delete your account if you no longer wish to use the service.
   
   
4. Regularly monitor updates and headlines about 23andMe, as we’re sure the situation will continue to evolve – and hopefully, there this means that more clarity surrounding customer privacy will be provided.
   
   
5. Watch out for phishing attacks. While data wasn’t breached per se, this unique situation is one that phishers might use to their advantage in ways we don’t even know yet. Phishing emails often impersonate people or brands you know and use themes that require urgent attention.
   
   
6. Similarly, if you have an identity protection plan, make sure that key Identity Monitoring items are being monitored, including:
   1. Email address(es)
   2. Mailing address(es)
   3. Phone number(s)
   4. Passwords
   5. Social Security number
   6. And other information that someone might use to steal your identity

In an era where data breaches and privacy risks are increasingly common, this highlights the need for stronger, more transparent data protection measures. Consumers should take proactive steps to safeguard their personal information, from reading privacy policies carefully to exercising their right to delete their data when possible.