Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

What 23andMe’s struggles could mean for data

The financial struggles of genetic testing and ancestry company 23andMe are raising questions about the security of customers’ DNA and other data.
The company announced Monday that it would lay off around 40% of its workforce — about 200 employees — and close its drug development arm in an attempt to cut costs.
On Tuesday, 23andMe released its latest earnings report, showing revenue dipped 12% in the last quarter and share prices fell.
The company has faced additional struggles over the past several months, including the resignations in September of the seven independent directors of the board.
Since its founding in 2006, 23andMe has sold more than 12 million of its DNA kits, which use a saliva sample to extract DNA that is then analyzed, according to the company’s website.
Here are four questions answered about 23andMe and users’ data.
A 23andMe spokesperson told ABC News the company had no further comment when asked Wednesday how the company’s business turmoil may impact customers’ personal data.
The company states on its website that it does not sell or share customer’s personal information to third parties without the customer’s consent, that it does not voluntarily share data with law enforcement, and that it provides an opt-in option for customers who want to participate in research.
No. 23andMe is considered a direct-to-consumer genetic testing company, and transactions with the company are considered commercial, not medical.
Because 23andMe is not a medical company, customers’ personal information is not protected under the HIPAA Privacy Rule, which affords privacy protections to health records.
In 2023, the company experienced a massive security breach that exposed the data of nearly 7 million users.
23andMe said at the time that customer profile information shared through the company’s DNA Relatives feature had been accessed without authorization.
The company agreed in October to pay a $30 million cash settlement in a class-action lawsuit stemming from the data breach, according to The Associated Press.
Following the breach, the company also said it required every customer to reset their password and began requiring all customers to use two-step verification for login.
As a general rule, consumers who have shared their DNA with any direct-to-consumer genetic testing company should pay attention to the company over the years, as companies have the right to change their privacy policies and business practices.
Companies, 23andMe included, also have a responsibility to notify consumers of changes and get “consumers’ affirmative express consent for any new uses of their data,” according to the Federal Trade Commission, the government agency that conducts oversight of direct-to-consumer genetic testing companies.

en_USEnglish