23andMe Declares Bankruptcy, Raising Personal Data Concerns for 15 Million

/ Blog, Cybersecurity, Identity Protection / By

Genetic testing and biotechnology company 23andMe filed for bankruptcy in federal court  March 23, raising privacy concerns for its 15 million customers who have shared their genetic information through its direct-to-consumer DNA tests. 

As the 19-year-old company seeks a buyer, the fate of this sensitive genetic information remains uncertain. Unless the data is deleted, it could be transferred to any business that acquires 23andMe, raising critical questions about security and ethical data stewardship.

Mark Jensen, 23andMe’s board chair, said in a statement that the company is “committed to continuing to safeguard customer data and being transparent about the management of user data going forward.” The genetic testing business says user privacy will be an “important consideration” as it searches for a buyer.

Cybersecurity practices and potential hackers are another concern, particularly as 23andMe had already faced a damaging data breach in 2023 (plus a subsequent lawsuit and settlement) where 6.9 million customers had their personal information exposed.

Consumers are being encouraged to delete their 23andMe account and data. The 23andMe website initially experienced some issues and delays due to high traffic after the bankruptcy announcement, but now appears to be glitch free.

“This isn’t just a typical data set; it includes deeply sensitive, immutable biological data that can be tied to individuals and their families for generations,” said Ensar Seker, chief information security officer for data security and intelligence platform SOCRadar, in an article published by FIERCE Healthcare. “Unlike a password or credit card number, you can’t change your DNA.”

If and when 23andme is acquired, the new owner could be a weak link in the cybersecurity chain, added Seker. If the parties can’t maintain proper safeguards and access controls “during this uncertain period, there’s a high risk” the data could be stolen and sold to cyber criminals to commit fraud, blackmail, discriminatory practices and even to exploit national security.

“The bottom line is that 23andMe’s bankruptcy shouldn’t just be seen as a business failure. It’s a data stewardship crisis,” Seker said. “Regulators, privacy watchdogs and even national security agencies should step in to ensure that this dataset doesn’t fall into the wrong hands. Transparency, oversight and ethical responsibility are now more important than ever.”

Although state and federal protections are limited when it comes to genetic data, the 23andMe case will shed light on the need for privacy laws. The U.S. currently has no federal privacy law and only 19 states do.

How to Remove Your Genetic Data from 23andMe

Deleting Your 23andMe Account and Personal Data:

If you no longer want 23andMe to store your information, you can permanently delete your account and associated data by following these steps:

  1. Sign in to your 23andMe account on their website.

  2. Navigate to your profile settings.

  3. Scroll down to the section labeled “23andMe Data.”

  4. Click the “View” option next to that section.

  5. (Optional) Before continuing, you can download a copy of your genetic data for personal records.

  6. Scroll further to find the “Delete Data” option.

  7. Select “Permanently Delete Data.”

  8. You’ll receive a confirmation email—follow the instructions in that email to complete the deletion process.

Requesting Destruction of Your DNA Sample:

If you’ve previously chosen to allow 23andMe to retain your DNA sample, you can request that it be destroyed by going to the “Preferences” section of your account settings and updating your selection.

Withdrawing Consent for Research Use:

If you had agreed to let 23andMe use your genetic information for research purposes, you can change your consent by visiting the “Research and Product Consents” section in your account settings and adjusting your preferences.

California Consumer Rights (GIPA & CCPA):

If you’re a California resident, the Genetic Information Privacy Act (GIPA) gives you the right to:

  • Delete your account and genetic data

  • Request the destruction of your biological sample

  • Withdraw any consent previously given for the use or sharing of your genetic data

Additionally, under the California Consumer Privacy Act (CCPA), you have the right to request deletion of your personal information—including genetic data—from any business that has collected it.

Enfortra provides world-class Identity Protection Services through a customizable white-label SaaS platform, enabling companies to protect customers, members, and employees from fraud and cybercrime. Partnering with industries from auto dealers to HR departments, Enfortra helps businesses boost loyalty, retention, and revenue while owning their brand, configuration, and data.

  • Head Office: Los Angeles, CA 91311​
  • 888 888 7388​
  • info@enfortra.com​

Solutions

Industries

About us

Resources

©2025 Enfortra. All rights reserved.

Exit mobile version