The demise of 23andMe illustrates the vulnerable state of Americans’ health data, as med tech companies vacuum up more personal information with little regulatory oversight.

Why it matters: Fitness trackers, wellness apps, genetic tests and other direct-to-consumer tools that capture personal health information aren’t subject to federal health data privacy laws. That could open the door to fraud or discrimination.

• “We’re getting into an era where we have more entities sitting on these big datasets,” said Sara Gerke, an associate law professor at the University of Illinois Urbana-Champaign.

Catch up quick: 23andMe filed for bankruptcy Sunday to facilitate a sale of the company, which has been in financial distress and saw its board of directors quit last year.

• That raises questions about what an acquiring company would do with the genetic and personal data of the more than 15 million people who have provided saliva samples for 23andMe’s testing kits.

Where it stands: 23andMe said in a release that the bankruptcy filing won’t change the way it protects customer data and that data privacy will be a key consideration in a future sale.

• But as things currently stand, a buyer could change the privacy policy after the sale.
• Some consumer advocates have suggested people proactively remove their information from the company’s files. California Attorney General Rob Bonta on Friday advised 23andMe consumers to take advantage of state privacy laws and ask the company to delete their data and destroy their genetic material.
• 23andMe’s privacy policy states that it keeps certain genetic information to comply with legal requirements and other “limited information” related to your account, even if you delete it.
• Additionally, if data has already been used for research, it may only be partially removed, Gerke said. More than 80% of 23andMe customers consent to participate in research, according to the company.

Zoom out: In reality, there isn’t much federal protection for customer data shared with 23andMe, or other companies that circle the health care space but aren’t actually health providers.

• The landmark health privacy law HIPAA only applies to health providers, insurers, clearinghouses and their business associates, leaving a big gap as the market for consumer and digital health gadgets grows.
• The Federal Trade Commission acts as a watchdog to make sure companies don’t deceive consumers and act in accordance with the data privacy terms and conditions they’ve set up.
• But those privacy policies are “frequently long, lengthy documents written by lawyers that are hard to decipher,” said Andrew Crawford, senior counsel of privacy and data at the Center for Democracy and Technology.
• At the end of the day, “there is no government law or regulator that is really saying this is what happens to this data, and this is what you have to do,” noted Lisa Pierce Reisz, an attorney at Epstein Becker Green.

States have tried to fill that gap, creating what’s at best a patchwork health privacy system.

• 20 states have their own comprehensive consumer data privacy laws, according to Bloomberg Law. Washington and Nevada also have laws that specifically safeguard health data that falls outside of federal health privacy requirements.
• “I think we’re going to see more of that, and that’s going to be challenging, especially for companies that operate across states,” said Shannon Britton Hartsfield, a partner at Holland & Knight.

What we’re watching: Federal lawmakers last year introduced a draft bipartisan data privacy bill, and efforts are underway in Congress this year to come up with legislation for a comprehensive privacy protections.

• But a national privacy law remains a long shot at the moment, said the University of Illinois’ Gerke. Expanding the scope of HIPAA or the 2008 Genetic Information Nondiscrimination Act to apply to entities that collect genetic information could be an easier fix, she said.

The bottom line: Once you give your personal information to a company, you lose some control over it, Pierce Reisz said.

• “You’ve got to be careful where you put your data,” she said. “At the very least, read the read the policies on what they’re going to do with it.”