Over the past decade, 23andMe has collected genetic data from millions of people — and now that the company has filed for bankruptcy, that information could be sold to the highest bidder, a Northeastern University data scientist warns.
“I don’t know the size of 23andMe’s genetic database, but I’m guessing it is large — and that data is extremely valuable,” says Christo Wilson, professor and associate dean of undergraduate programs at Northeastern’s Khoury College of Computer Sciences.
Wilson, also a founding member of the university’s Cybersecurity and Privacy Institute, says he could envision the data being sold to biomedical startups looking for genetic patterns, law enforcement interested in examining cold cases, or biomedical researchers training artificial intelligence on how well drugs work.
“I wouldn’t be at all surprised if a private equity group swooped in and bought them — but probably not on the strength of the consumer business, the genealogy side of it — but probably just because it’s a trove of data that could then be sold,” Wilson continues.
23andMe says it has sold more than 12 million at-home DNA testing kits since its beginnings in 2006 and helped millions of users find ancestors as well as determine health risks such as the likelihood of developing Alzheimer’s or certain types of cancers.
The company — once valued at $6 billion — announced on March 23 that it was filing for Chapter 11 bankruptcy, raising immediate concerns about the data that it has collected. Chapter 11 is a reorganization process primarily for businesses, allowing them to continue operating while restructuring debts.
The company says the filing “does not change how we store, manage or protect customer data,” and that it will “look to secure a partner who shares in its commitment to customer data privacy.” Moreover, the company says any buyer will be required to comply with applicable law regarding the treatment of customer data.
Mark Berman, who teaches business bankruptcy at Northeastern’s School of Law, says that if personally identifiable information is sold during a bankruptcy case, the sale must align with the company’s privacy policy. If not, a consumer privacy ombudsman must be appointed to address the privacy concerns.
Personally identifiable information is defined as name, physical address, electronic address, telephone number, Social Security number or credit-card number, as well as any other information that can be combined with any of the foregoing items of information to facilitate identifying or contacting the individual, Berman says.
“That would seem to me to cover the personal information that 23andMe possesses,” Berman says.
He adds that a Supreme Court ruling provides for the appointment of a consumer protection ombudsman whenever personally identifiable information is proposed to be sold in a bankruptcy case.
“But there’s an inherent tension between protecting personally identifiable information and the desire of creditors owed money by the debtor company to maximize the value received in any sale during a bankruptcy case,” Berman says. “The bankruptcy judges are, in my view, sensitive to both concerns, and are still working their way through these issues.”
Meanwhile, Wilson notes there’s no federal genetic privacy law. States like California have some consumer protections regarding data privacy, but “not everyone in America has access to those,” Wilson says.
There is another issue, Wilson says — the company’s procedure in the event you request your data to be deleted is “woefully inadequate.”
“What they say is that they will delete your account,” Wilson says. “So you can’t log in anymore, but they also say very clearly that they will retain a bunch of information about you, like your email address, and the genetic data also is not guaranteed to be deleted.”
Moreover, 23andMe’s cybersecurity track record is lacking.
“Part of the reason they’re in Chapter 11 bankruptcy is they were breached — a lot of data was stolen,” Wilson says.
And many people may not even realize the company has their genetic data, Wilson adds.
“The thing about genetic data, and the reason it’s so sensitive, is that it’s not just you,” Wilson explains. “When I give my genetic data to them, I’m also very directly consenting in absentia for my family because it’s their information too.”
But Wilson notes his family would have no recourse because they are not the company’s customer.
“It’s not their account,” Wilson says. “They may not even know that their relative gave data.”
So, what can you do?
Wilson recommends that customers contact 23andMe and request your data to be deleted — “imperfect as that may be.”
“There’s almost nothing we can do at this point to block a sale or steer the course of it so that the sale is to someone who will be a good shepherd of the data,” Wilson says. “Maybe we’ll get lucky and it will go to someone who isn’t horrible. But long term, we need regulation about this kind of data because it is so sensitive.”
Asked if people should be concerned, Wilson had a simple answer.
“Yes,” he says.