Millions of Americans who have used 23andMe’s genetic testing services may be at risk of having their DNA data exposed, as the company faces mounting turmoil.
Privacy advocates warn that the genetic information collected from over 15 million customers could be vulnerable to misuse, potentially impacting not only individual privacy but also that of their relatives.
Digital rights organization, the Electronic Frontier Foundation (EFF), has expressed serious concerns about the potential exposure of genetic data. EFF’s staff attorney Mario Trujillo and associate director of digital strategy Jason Kelley highlighted the risks associated with any sale or transfer of 23andMe’s vast DNA database.
“Research has shown that a majority of white Americans can already be identified from just 1.3 million users of a similar service, GEDMatch, due to genetic likenesses, even though GEDMatch has a much smaller database of genetic profiles. 23andMe has about 10 times as many customers,” they said in a recent post on the EFF website, emphasizing the potential for identification even without direct access to personal identifiers.
Newsweek reached out to the Electronic Frontier Foundation and 23andMe via email for comment.
In late 2023, 23andMe experienced a significant data breach affecting nearly 7 million customer profiles. According to CBS News, hackers accessed health records and personal information, including carrier-status reports.
Customers of Chinese and Ashkenazi Jewish heritage seemed to have been specifically targeted, and some have filed a class-action lawsuit against the company for failing to notify them about the breach. The company attributed the breach to customers reusing passwords, but critics argue that 23andMe should bear responsibility for securing user data.
Eva Galperin, director of cybersecurity at the EFF, advised users to consider deleting their data from the platform.
“If you have a 23andMe account, today is a good day to log in and request the deletion of your data,” she wrote on X (formerly Twitter).
Amid financial struggles, including a stock price plummet of 99 percent from its peak valuation of $6 billion in 2021, 23andMe’s CEO Anne Wojcicki has indicated she might consider selling the company. Although she later clarified that she is not entertaining third-party offers and intends to take the company private, the possibility of a sale is concerning many.
Customers and privacy experts worry that new ownership might not honor existing privacy commitments.
“Having to rely on a private company’s terms of service or bottom line to protect that kind of information is troubling—particularly given the level of interest we’ve seen from government actors in accessing such information during criminal investigations,” said Vera Eidelman, a staff attorney with the American Civil Liberties Union (ACLU), in an NPR interview.
However, 23andMe’s transparency report, last updated on September 24, claims that, of the 11 law enforcement requests for personal customer data received by the company, no data was produced “without prior, explicit consent by the individual(s) specified in the request.”
Many consumers mistakenly believe that federal laws like the Health Insurance Portability and Accountability Act (HIPAA) protect their genetic data. However, HIPAA does not apply to direct-to-consumer companies like 23andMe. Genetic privacy laws vary by state, and federal protections are limited.
Anya Prince, a law professor and genetic privacy expert at the University of Iowa, told CBS News that while customers can request deletion of their data, information already shared with third parties cannot be taken back as it has been anonymized.
“You can’t find it at whatever pharmaceutical companies it’s already been shared with, because it doesn’t have a person’s name attached to it,” she said.
The potential exposure of DNA data doesn’t just affect individual privacy—it could have broader implications. Genetic information can reveal predispositions to certain health conditions, which could be misused by employers, insurance companies, or even law enforcement agencies.
Jason Kelley of the EFF highlighted the possibilities.
“Having access to this kind of information could give someone an enormous amount of intelligence about groups of people and potentially individuals,” he told CBS News. “There’s a sort of dystopian nightmare scenario where that kind of data can be tied back to individuals, or leaked to the internet.”
The EFF has advised 23andMe customers to “consider downloading a local copy of your information to create a personal archive, and then deleting your 23andMe account” if they don’t feel comfortable with a potential sale of the genetic testing company.
Customers who previously agreed to share their data for research purposes can also revoke this consent, although data already shared cannot be retrieved.
23andMe maintains that it prioritizes customer privacy and that data shared with third parties is anonymized. In a statement to CBS News, the company said: “For our customers, our focus continues to be on transparency and choice over how they want their data to be managed.”
The post DNA Records of Millions of Americans Could Be Exposed Amid 23andMe Turmoil appeared first on Newsweek.