This story was originally posted on MyNorthwest.com
23andMe helped 15 million users around the world answer the question we all share: Where did I come from?
Since its launch in 2006, the biotechnology company has not only answered questions about family trees, but also about genetic probabilities, such as whether you think cilantro tastes like soap or if you have a genetic marker associated with late-onset Alzheimer’s disease or diabetes.
However, in March, after settling a $30 million lawsuit over a data breach, 23andMe declared bankruptcy and announced they are selling the company, including the massive amounts of data it has collected from willing customers who ordered a 23andMe tube, spit saliva into it, and sent it back over the last 20 years.
The result has spurred a nationwide data privacy debate, which includes an upcoming May 6 Congressional hearing focused on the security and ethical concerns regarding the collection, use, and sale of personal data, especially genetic data.
No HIPAA violations for selling data
Suzanne Bernstein, an attorney with the Electronic Privacy Information Center, said the dissemination of 23andMe data is not only legal, but there is no comprehensive federal data privacy law in place to stop the sale of genetic data by a private company, including the Health Insurance Portability and Accountability Act—better known as “HIPAA.”
“The HIPAA scope is very narrow; it only applies where a patient is sharing medical records with a doctor or insurance company,” Bernstein said. “On the federal level, there aren’t many protections for consumers for their highly sensitive genetic data that 23andMe has.”
On Tuesday, 23andMe reached an agreement to appoint a court-appointed overseer to safeguard customers’ genetic data during the company’s bankruptcy proceedings, resolving a dispute with multiple U.S. states. Those 25 states argued the biotech company was not taking data security seriously after 23andMe proposed hiring a “customer data representative” who would have a more limited focus on ensuring a future sale of the company complied with its current privacy policies.
According to an attorney for the company, it is still negotiating with potential buyers. After resigning as CEO of 23andMe, founder Anne Wojcicki said she is interested in buying the company back. One reason for doing so is the value of 23andMe’s data.
“That data for 23andMe is its largest asset,” Bernstein added.
However, she warned there are no safeguards in place to ensure what any potential buyer would do once it owned the data. Those potential buyers could include data brokers who could sell data to advertisers, drug companies, healthcare providers, or insurance companies.
“It’s unclear who will buy that and what those uses of that data could be,” Bernstein said.
23andMe was created to influence how modern healthcare works by creating a genetic database large enough to discover common genetic variants linked to more than 240 “health conditions and traits,” including diseases and cancers.
In 2013, the U.S. Food and Drug Administration (FDA) told 23andMe to stop marketing its health-related genetic tests in the U.S. because the company did not complete the agency’s regulatory review process. By 2018, the FDA had started allowing 23andMe to market the country’s first-ever direct-to-consumer (DTC) tests, like their Personal Genome Service Genetic Health Risk (GHR) that tests for 10 diseases or conditions.
However, it’s not the ability for people to use genetic testing to identify potential future health issues that has University of Washington (UW) Bioethics Professor Sue Trinidad.
“A concern I have about broad consent regimes where you say, ‘OK, you can have my stuff and do whatever you want with it,’” Trinidad said. “A broad consensus by definition means you don’t know who those future users are, so you’re being asked to place your trust in some person or entity that you know nothing about.”
Unlike private companies, like 23andMe, medical researchers are required to undergo ethics reviews to ensure that the burden and risks a person may incur while participating in research are justified. That is not a requirement for companies like 23andMe.
“On the research side, we are required to disclose risks that we think might happen or could happen and disclose the steps that we are taking to protect against that,” Trinidad said.
Attorneys General across the country recommended that customers who don’t want their 23andMe data passed on to another company to deactivate their account as soon as possible. In a release on their website, the Washington State Attorney General’s Office also reminded Washingtonians of their right to genetic data privacy and ability to request data deletion.
Washington’s My Health My Data Act safeguards residents’ sensitive health information, including genetic data, from being collected, shared, or sold without their consent or authorization. The state law grants consumers the right to withdraw consent, request data deletion, and verify whether their data has been shared or sold. Additionally, consumers can obtain a list of all third parties who have received their data.
You can find the step-by-step process to deactivate your 23andMe account here.
If you choose not to deactivate your account, Bernstein warned that another concern to consider is how your data could be stored or used, not just in the following months and years, but for generations if that data is not destroyed.
“It’s also a basic concern about how sensitive health information is being used for purposes that you really couldn’t consider or think about when you first signed up, just to understand where your family might have come from,” Bernstein said.
©2025 Cox Media Group
