The struggling genetic testing company 23andMe has filed for bankruptcy, and its co-founder and CEO has resigned. Now, its millions of customers are wondering what happens to their genetic data — and whether it’s secure.
CBC News heard from readers this week who had concerns about the security of their data, how they can delete their personal information, and what new ownership could mean for them. We’ve tried to answer as many as we can.
CBC News reached out to 23andMe. The company responded by pointing to its news release and its open letter to customers.
First, what happened?
San Francisco-based 23andMe announced on Sunday that it will look to sell “substantially all of its assets” through a court-approved reorganization plan. Co-founder Anne Wojcicki, who made multiple failed takeover bids, resigned as CEO. 23andMe did not say whether there are other interested bidders.
23andMe was founded in 2006, with a promise to revolutionize the future of genetics and health care. The company became known for its saliva-based DNA testing kits — purchased by millions of customers eager to learn more about their ancestry — and later dived further into health research and drug development.
But it has faced an uncertain future for some time. Beyond battles to go private, the company struggled to find a profitable business model since going public in 2021. Then in 2023, hackers exposed the personal data of nearly seven million 23andMe customers over a five-month period, dealing a major blow to the company’s reputation and compounding its growth problems.
In November, the company laid off 40 per cent of its workforce.
WATCH | Proposed class action over data breach: 
The genetic testing company 23andMe says hackers gained access to the profiles of millions of its users in October. Now, some customers are involved in a proposed class-action lawsuit against the company.
Is the company still in business?
Yes. 23andMe says it plans to continue operating.
In an open letter to customers posted Sunday, the company wrote that “orders and subscriptions will continue as normal, and any purchases or genetic testing kits sent in for processing will be handled without disruption.”
23andMe added that customers still have full access to their accounts, reports and stored data.
OK. So what happens to my data now?
Though the company’s privacy policies say that the data could be sold to other firms, 23andMe says customer data will remain protected.
In its recently updated privacy policies, the company writes that if it is involved in a bankruptcy, merger, acquisition, reorganization or sale of assets, “your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.”
However, the company said the bankruptcy process will not affect how it stores, manages or protects customer data. Its open letter to customers stated that “any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data.”
John Bringardner, the executive editor of the newsletter Debtwire, notes that any new buyer of 23andMe will have to comply with regulatory approvals that ensure “customer data won’t end up in unscrupulous hands.”
But Toronto lawyer and cybersecurity expert Brent Arnold said his concern is that when a company is going bankrupt, privacy issues and compliance are sometimes the last thing on their minds.
“They’re just thinking about getting through the restructuring, having the business survive,” he told CBC. “So everything else becomes secondary, including properly protecting your data.”
A 23andMe representative displays the contents of a DNA kit at the RootsTech annual genealogical event in Salt Lake City, Utah, in February 2019. (George Frey/Reuters)
Is my data safe?
For those who are wondering, you’re not alone. Officials, including California Attorney General Rob Bonta, had questioned what would happen to the genetic data collected by 23andMe. Last week, Bonta issued a consumer alert urging customers to delete their accounts.
“Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company,” he wrote Friday.
On Tuesday, New York Attorney General Letitia James also encouraged customers to delete their accounts and secure their data, calling 23andMe’s bankruptcy announcement “concerning.”
The Washington Post’s tech columnist Geoffrey Fowler wrote Monday that “unless you take action, there is a risk your genetic information could end up in someone else’s hands — and used in ways you had never considered.”
LISTEN | Is your 23andMe DNA safe?
Millions of people shared their DNA with 23andMe, but now the company is in financial trouble and shedding 40 per cent of its workforce. What does that mean for all the genetic information the company holds?
Who will end up owning 23andMe down the road is unknown, and experts note that risks remain.
“Personal data collected by 23andme has always been at risk,” Bringardner wrote in an emailed commentary to the Associated Press on Monday. He pointed to the 2023 data breach that compromised ancestral information for nearly seven million 23andMe customers.
He adds that litigation spanning from the aftermath of this breach helped drive up liabilities that eventually contributed to the current bankruptcy filing.
Arnold added that 23andMe may be particularly vulnerable to hackers right now. “They’re probably not in as good a position to repel an attack as they would be when they were running with full funding.”
How could my data potentially be used?
In November, when 23andMe announced it was laying off 40 per cent of its employees, University of Alberta professor Timothy Caulfield told CBC’s The Current that there are “reasons to be concerned” about your personal data, especially given that not only have breaches happened in the past, but they could happen in the future — with any company.
Caulfield, a Canada research chair in health law and policy, noted it’s possible that if you were predisposed to genetic conditions, and someone found out, the information could potentially be used for “nefarious purposes.”
These nefarious purposes potentially could include discerning your relatives and ancestry, unearthing family secrets, or revealing clues about diseases you have or could be predisposed to, said Ginny Fahs, director of product research and development for Consumer Reports’ Innovation Lab, in the Washington Post.
“If the data makes its way to certain insurers, they may deny you coverage or charge you more for life, disability or long-term care insurance because of your genetics,” Fahs said.
There’s also a risk that if the data is sold to a new company, they might want to use it in a different way, Fowler wrote in the Washington Post. He points to the company’s privacy policy that says your data could be sold or transferred as part of a company transaction.
What protections are in place?
Earlier this month, researcher Sara Gerke, an associate professor of law at the University of Illinois, told the New England Journal of Medicine‘s podcast that the U.S. doesn’t have comprehensive data privacy laws and that “the entire system itself has a lot of weaknesses and doesn’t protect consumers’ privacy properly.”
However, bankruptcy laws can offer some protections to 23andMe customers, she added, especially given that it’s a public process where regulators can step in or ombudsmen can investigate the sale. Still, there are weaknesses in the bankruptcy system, too, Gerke added.
“And ultimately it does not necessarily stop the sale of customer data to the highest bidder.”
Arnold noted that, although Canadian customers will fall under Canadian privacy law, Canada hasn’t had much luck in enforcing its privacy laws abroad.
“The bottom line is this — you don’t have much control over where [your data] is going.”
The 23andMe booth at the RootsTech 2019 genealogical event in Salt Lake City, Utah. (George Frey/Reuters)
Can I delete my information?
Yes, with caveats.
Gerke said that people who are concerned can be proactive by deleting their accounts. However, she notes this only provides “partial relief” because if you’ve already consented for your data to be used for research that’s already published or included in a dataset, that can’t be retracted (On its account closure page, 23andMe notes that your information will not be used for any future research).
Plus, 23andMe clearly states that even if you cancel your account, it “will retain limited information” about you.
In its privacy statement, the company writes, “23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations … even if you chose to delete your account.”
The company explains you can directly delete your account in your account settings. You can download your data to your personal device before deleting it.
Page 2
23andMe on Sunday filed for bankruptcy in the U.S. after struggling with the fallout of a data breach and weak demand for its ancestry testing kits that featured in Oprah Winfrey’s annual list of favourite things just eight years ago.
The biotech unicorn has seen a sharp fall in its market value since then. On Monday, its shares fell 46 per cent to 96 cents after co-founder and CEO Anne Wojcicki, who made multiple failed takeover bids, also resigned.
- Are you worried about your 23andMe data? We want to hear from you. Send an email to [email protected]
Wojcicki will be replaced by chief financial officer Joe Selsavage on an interim basis.
Founded in 2006, 23andMe was the first company to offer autosomal testing by getting users to directly submit saliva samples, which would be analyzed to produce charts of their background and lineage.
In 2021, billionaire Richard Branson’s SPAC (special-purpose acquisition company) took 23andMe public at a $3.5 billion US valuation. AncestryDNA, which offers similar tests, was also bought by Blackstone Group that same year, despite slowing sales for both the genetic testing companies.
A five-month-long data breach in 2023, which exposed personal data of nearly seven million customers, dealt a major blow to 23andMe’s reputation. Late last year, it laid off 200 employees and stopped development of all therapies.
Attendees visit the 23andMe booth at the RootsTech annual genealogical event in Salt Lake City, Utah, on Feb. 28, 2019. The company has struggled to regain its footing since a 2023 data breach. (George Frey/Reuters)
It also agreed to a $30-million US settlement in a lawsuit related to the breach.
Wojcicki has been pushing for a buyout since last April but has been rebuffed by 23andMe’s board. She reportedly used her contacts including ex-husband and Google co-founder Sergey Brin to help drive initial investments. In September, all of 23andMe’s independent directors resigned from the board amid Wojcicki’s attempts to take the company private. Three new independent directors were appointed in October.
She intends to make another bid, Wojcicki said in a post on X on Monday, without giving details. Her last offer of 41 cents per share valued 23andMe at about $11 million US, below its current value of $50 million US, and a far cry from its $6 billion US peak in 2021.
23andMe secured a financing commitment of about $35 million US on Sunday and will continue to operate during the sale process. It did not say if it had other buyout offers or interest.
It listed assets and estimated liabilities between $100 million US and $500 million US.
