What occurs to your information if 23andMe ceases operations?

A recent study featured in the New England Journal of Medicine advocates for regulations aimed at securing consumers’ personal and genetic data, given the unpredictable future of the biotech firm 23andMe.

The genetic ancestry firm, founded in 2007, gained immense popularity, attracting millions of clients who submitted saliva samples to discover their lineage and genetic characteristics.

The company reached a valuation of $6 billion, equivalent to $17.65 per share, shortly after its public offering in 2021. However, it has since plummeted to approximately $48 million, or $1.78 per share, following a data breach in 2023 and the departure of several board members. In January, the firm announced that it is considering “strategic alternatives,” which may include selling the company or its assets, restructuring, or forming business partnerships, among other options.

In this revised dialogue, I. Glenn Cohen, one of the study’s contributors and faculty director of the Petrie-Flom Center at Harvard Law School, elucidates the legal framework regarding genetic data, the rationale behind the need for enhanced consumer protection laws, and actionable steps for individuals to safeguard their personal and genetic information.

---

If 23andMe were to seek bankruptcy protection, what could occur to the genetic information of the 14 million individuals the company possesses?

With 23andMe facing considerable financial troubles and potentially being bought out or entering bankruptcy with its assets liquidated, the genetic and health data provided by its users represent a significant asset for the firm. Many individuals have availed themselves of services like 23andMe, Ancestry.com, and similar companies that offer direct-to-consumer genetic testing to explore their ancestry or genetic makeup.

However, in the process of pursuing these inquiries for personal insight, they have also contributed to extensive genetic databases. Our apprehension lies in the possibility that this data could end up in the hands of entities other than 23andMe, in ways that many users who provided their information to 23andMe never anticipated and may find objectionable.

What potential scenarios could arise, and what are your concerns?

One issue pertains to data security. We observed that 23andMe itself suffered a significant data breach in 2023, and if another entity that acquires the data lacks adequate data security measures, there is a risk of further breaches.

Notably, at one point, the Pentagon advised military personnel against using these at-home DNA testing kits due to concerns regarding national security. A more commonplace worry is that your genetic information could become accessible to others, leading to the potential for reidentification.

For instance, a study from several years ago demonstrated that researchers utilized genetic data to determine, through what’s known as genome-wide association studies (GWAS), which regions of the genome were correlated with being gay. Many individuals who submitted their genetic data understandably expressed outrage at the notion that such information could be applied in this manner.

Thus, while consumers have chosen to disclose their information to 23andMe, which they benefit from, they ultimately have minimal influence over what transpires should the company be acquired or face bankruptcy, resulting in asset liquidation.

 “I would love to see an environment where individuals can access the information they desire without feeling that it may jeopardize their safety.”

Do federal health privacy laws provide confidentiality safeguards to consumers?

The Health Insurance Portability and Accountability Act (HIPAA) is the statute that, among other provisions, establishes rules regarding what information can be shared when you consult with your healthcare provider.

The challenge is that HIPAA’s definitions of covered entities and business associates imply that when you furnish information, including genetic data, not to a medical institution or physician, but instead to a direct-to-consumer company like 23andMe, you are not safeguarded by HIPAA. Legally, you are regarded as a consumer, not as a patient.

There are additional federal statutes that offer some protection. The Genetic Information Nondiscrimination Act prevents health insurers, as well as employers, from utilizing genetic data in a discriminatory manner. Such legislation remains applicable, yet health privacy regulations at the federal level do not directly apply in interactions with a private company like 23andMe.

What about the privacy commitments that 23andMe extends to its clientele?

It is worth mentioning that 23andMe seeks consent from its users to utilize their data for research objectives. Although there is an option to withhold consent, approximately 80 percent of users have consented.

The user agreements articulate a privacy policy stating that all U.S. customers possess certain rights, including the right to refuse the storage of saliva samples and the right to request account deletion. Additionally, the policy affirms that individual-level information regarding diseases or genotypes will not be shared, nor will de-identified information be willingly disclosed to insurance companies, employers, public databases, or law enforcement agencies without a subpoena.

Nevertheless, the firm does share personal data with service providers and contractors for the purposes of sample analysis,marketing, and analysis. Additionally, the privacy policy maintains the organization’s right to transfer clients’ personal details in the case of a sale or insolvency, and clients are unable to shield their information from being accessed, sold, or transferred as part of that deal.

Can insolvency laws provide certain protections to 23andMe users?

One of the authors of the paper, Melissa Jacoby, is an expert in bankruptcy law. While my expertise lies in health law, I will do my utmost to clarify. Numerous firms that held delicate information have declared bankruptcy, and during that process, they’ve sold consumer information to third parties.

Insolvency law provides some safeguards. Bankruptcy itself is a transparent process. There’s public scrutiny, and occasionally regulatory bodies, such as the [Federal Trade Commission] or state attorneys general, may intervene in cases and strive to join the bankruptcy proceedings. A federal court supervises a bankruptcy, and the U.S. Trustee Program, a unit within the Department of Justice, can sometimes become involved as well.

In certain situations, insolvency law has mandated that a consumer privacy ombudsperson assess a sale and ascertain whether it aligns with the bankrupt entity’s privacy policies, as well as the legislation.

These are some safeguards, but they are not infallible. One point we wish to emphasize is that when most individuals provided their genetic information, they had never considered this aspect, and we simply want people to be aware of it.

What are your policy suggestions to safeguard consumers’ personal and genetic information?

The U.S. possesses a federal health privacy statute that is somewhat outdated compared to our counterpart nations in Europe. One potential remedy to this issue would be to establish more comprehensive data privacy regulations that would encompass all personal information, including genetic data, and that would also apply in bankruptcy situations.

Numerous efforts have been made to compel Congress to thoroughly revamp federal privacy laws, including health privacy statutes. These attempts have not truly achieved success. Therefore, we’re not optimistic.

A more specific approach might involve considering the expansion of the HIPAA law to incorporate companies like 23andMe, or potentially broadening the scope of what the Genetic Information Nondiscrimination Act encompasses with respect to discrimination and genetic data. New regulations could also tackle situations where a company possessing genetic data experiences bankruptcy. That’s what we hope to see. Whether it will come to fruition, I am uncertain.

What actions can consumers take in the interim?

Moving forward, I would contemplate these matters as you decide if the type of information you will receive from a direct-to-consumer company like 23andMe outweighs the potential risks.

Also, when you have the option to decline consent for data sharing, I believe that’s worth considering. If this issue troubles you, now might be the time to remove that information from your account, even though it might not be a complete resolution.

There are numerous reasons people are interested in their heritage or genetic information. My hope is that this scenario may also prompt companies to be more conscious of privacy. I would relish the idea of a situation where individuals can enjoy their desired information without feeling their data might jeopardize them in the event of a bankruptcy or similar circumstances.