Over 2 million users have already deleted their genetic data from 23andMe following its March 2025 bankruptcy filing, but security experts warn the remaining 10 million customers should follow suit. The company’s Chapter 11 restructuring and subsequent $305 million buyback by former CEO Anne Wojcicki in June 2025 have created unprecedented privacy risks for user data, particularly given the immutable nature of genetic information and legal uncertainties surrounding bankruptcy asset sales.1, 2
Bankruptcy Creates Data Protection Loopholes
The bankruptcy process has exposed fundamental weaknesses in genetic data protection. When 23andMe filed for Chapter 11 protection in March 2025, its valuation had plummeted to less than 2% of its 2021 $6 billion peak, driven by declining test sales and fallout from a 2023 breach affecting 7 million users.3 While Wojcicki’s buyback prevented an external acquisition of the genetic database, bankruptcy courts prioritize creditor repayment over user privacy commitments. California Attorney General Rob Bonta issued an urgent consumer alert in March 2025 warning that bankruptcy sales could void original privacy terms.4
Technical and Legal Vulnerabilities
Genetic data presents unique security challenges compared to other personal information. Unlike passwords or credit cards, DNA profiles cannot be changed after exposure. The 2023 breach demonstrated how credential stuffing attacks could compromise millions of profiles, with hackers specifically targeting Ashkenazi Jewish and Chinese user data.5 The UK Information Commissioner’s Office fined 23andMe £2.31 million in June 2025 for security failures including lack of multi-factor authentication.6
Legal protections remain inadequate. No U.S. federal law governs genetic data in bankruptcy proceedings, and while some states like Virginia have consumer data protection acts, they offer limited recourse. Craig Konnoth, a law professor at the University of Virginia, notes: “Bankruptcy may void prior privacy commitments; deletion is safest.”7
Data Deletion Process and Limitations
Users can delete their 23andMe data through a straightforward process:
- Log into your 23andMe account
- Navigate to Settings > “Delete Your Data”
- Download data first if desired (optional)
However, physical DNA samples may persist in company laboratories unless separately requested for destruction. The company’s transparency report shows it has complied with only 15 law enforcement requests since 2015, producing zero data.8 More concerning is the opt-in research program where 80% of users allow their data to be shared with pharmaceutical partners like Pfizer and GSK.
Security Implications for Organizations
The 23andMe case study highlights critical considerations for handling sensitive biological data. Organizations storing genetic or biometric information should implement:
| Security Measure | Implementation |
|---|---|
| Multi-factor authentication | Required for all genetic data access |
| Data minimization | Collect only essential genetic markers |
| Bankruptcy clauses | Contractual data destruction requirements |
The June 2025 UK fine specifically cited 23andMe’s failure to implement proper access controls following the 2023 breach. For security teams, genetic databases represent high-value targets requiring specialized protection frameworks beyond standard PII safeguards.
Conclusion
23andMe’s emergence from bankruptcy hasn’t resolved fundamental privacy risks for its genetic database. With regulatory gaps persisting and bankruptcy creating legal uncertainty about data protections, deletion remains the most secure option for users. The case underscores the need for stronger legal frameworks governing biometric data in corporate transitions and clearer technical safeguards for immutable personal information.
References
- “DNA testing firm 23andMe files for Chapter 11 bankruptcy to sell itself,” Reuters, Mar. 24, 2025. [Online]. Available: https://www.reuters.com/business/healthcare-pharmaceuticals/dna-testing-firm-23andme-files-chapter-11-bankruptcy-sell-itself-2025-03-24/
- “23andMe CEO Anne Wojcicki steps down as company struggles,” Wall Street Journal, Jan. 31, 2024. [Online]. Available: https://www.wsj.com/health/healthcare/23andme-anne-wojcicki-healthcare-stock-913468f4
- “23andMe bankruptcy raises genetic data privacy concerns,” NPR, Mar. 24, 2025. [Online]. Available: https://www.npr.org/2025/03/24/nx-s1-5338622/23andme-bankruptcy-genetic-data-privacy
- “Attorney General Bonta urgently issues consumer alert for 23andMe customers,” California Department of Justice, Mar. 21, 2025. [Online]. Available: https://oag.ca.gov/news/press-releases/attorney-general-bonta-urgently-issues-consumer-alert-23andme-customers
- “Thinking about deleting your 23andMe data? Here’s why it matters,” UVA Today. [Online]. Available: https://news.virginia.edu/content/thinking-about-deleting-your-23andme-data-heres-why-it-matters
- “23andMe fined £2.3m over data breach affecting millions,” UK ICO, Jun. 2025. [Online]. Available: https://ico.org.uk/action-weve-taken/enforcement/23andme-international-limited/
- 23andMe Transparency Report. [Online]. Available: https://www.23andme.com/transparency-report/
- “How to delete your 23andMe data amid bankruptcy,” NBC Bay Area. [Online]. Available: https://www.nbcbayarea.com/news/local/23andme-bankruptcy-delete-data/3826532
