WS Chronicle

By: Jess Schnur 

On March 23 the online genetic testing and biotechnology company 23andMe filed voluntary Chapter 11 proceedings in the U.S. Bankruptcy Court. The Company is looking to sell substantially the entirety of its assets thorough a chapter 11 plan pursuant to Section 363 of the U.S. Bankruptcy Code, pending Court approval. If approved, any buyer will be required to comply with applicable law concerning the treatment of customer data and any transaction will be subject to customary regulatory approvals.   

“After a thorough evaluation of strategic alternatives, we have determined that a court-supervised sale process is the best path forward to maximize the value of the business,” said Mark Jensen, hcair and member of the special committee of the board of directors at 23andMe. “We expect the court-supervised process will advance our efforts to address the operational and financial challenges we face, including further cost reductions and the resolution of legal and leasehold liabilities. We believe in the value of our people and our assets and hope that this process allows our mission of helping people access, understand and benefit from the human genome to live on for the benefit of customers and patients.” 

But this hasn’t been the first time that 23andMe has faced legal challenges. Back in October 2023, the company fell victim to a data breach that compromised the genetic, familial and ethnicity data of 6.9 million users across the platform. 23andMe released a statement at the time explaining how the hackers had used a process called “credential stuffing” – breaching accounts through usernames and passwords that were simultaneously used as credentials across other sites – to infiltrate 14,000 user accounts. Through a feature on the site known as DNA Relatives, as well as the Family Tree feature on many accounts, the hackers were then able to further access the information of adjacent profiles that were linked through these features.  

Following the breach, concerns over the distribution of user data flooded the public, as the alleged hacker advertised selling user data on a popular hacking forum. The site reformed its security measures to incorporate two-step verification following the cyberattack, but 23andMe ultimately had to pay a $30 million settlement following a class action lawsuit filed by the users whose data had been compromised.  

In North Carolina, 23andMe has undergone a continuous investigation by the state following the events of October 2023. Attorney General Jeff Jackson has spoken out against the company’s recent bankruptcy filing, and in a statement on March 25, he urged the residents of North Carolina to delete their user data, before ultimately erasing their accounts. “Your genetic data is your most personal, confidential data, and you should be able to protect who has access to it. As 23andMe’s bankruptcy proceedings play out, it’s possible that North Carolinians’ private genetic and other health data could be sold to other companies,” said Attorney General Jackson. “You have the power to delete your data now – please act quickly.” 

But what exactly does it mean for users to have their data in such a vulnerable position on sites like 23andMe? To get better insight into the ethical and logistical concerns of these private genetic testing companies, The Chronicle spoke with Professor of Philosophy and Director of the Wake Forest Center for Bioethics, Health & Society, Dr. Ana Iltis. 

With the advertisement of simplicity, convenience and cost-efficiency, 23andMe promises a private alternative to genetic testing that does not require the same constraints of conventional medical institutions for its users. “You spit in a tube, mail it off, and – in theory – obtain a lot of genetic information about yourself for little cost. I say, ‘in theory,’ because the accuracy of the results people receive from these companies has been called into question many times,” said Dr. Iltis. “Other attractive features include you don’t need anyone’s permission to do it. And the results do not go into your medical record, which may give people a sense of privacy. Though, I would say that is a false sense of privacy. In some cases, people use these sites because they are hoping to find biological relatives and connect with people.” 

Sites such as 23andMe are not considered “covered entities.” According to the National Institutes of Health, these entities are defined as “health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which Health and Human Services has adopted standards.” Because sites such as these do not fall under this category, they are not held to the same privacy laws as legitimate medical facilities. Therefore, as Dr. Iltis explains, the protections of patient privacy that are granted under the Health Insurance Portability and Accountability Act (HIPAA) do not apply to the users of these sites.  

“One thing that I think can be lost on people is that these are not healthcare companies, and people who use them are customers, not patients,” said Dr. Iltis. “Individuals looking for health information about themselves might think of themselves as patients and have some expectations around that status, but they are customers. So, there are concerns about what people understand about what they are agreeing to when they sign up.” 

Alongside the questionable validity of results from these tests, the challenging implications that may come with deciphering genetic data and familial information, and the elusive promise of confidentiality through website privacy policies expressed by Dr. Iltis, there is one concern underlying the business transaction within 23andMe’s bankruptcy: With new management comes new policies. Thus, uncertainty wanes within the sanctity of upholding 23andMe’s previous privacy policies. 

In an age where the lines of privacy have slowly blurred and the selling of personal data has carved itself into a lucrative market across a variety of industries, data breaches have almost become a common occurrence. While many instances of data profiling in daily life can be linked back to mere marketing strategy, when it comes to the distribution of genetic data from sites like 23andMe, its buyers may be more than just pop-up ads and promotions. 

“There is a federal law, The Genetic Information Nondiscrimination Act (GINA), that prohibits employers and health insurance companies from discriminating against people based on genetic information,” explains Dr. Iltis. “But there are many other companies that would very much like to use that information to make decisions. So, the data [is] quite valuable. If you have genetic information at 23andMe, you can ask them to destroy it and your sample. Once the data [is] sold, however, you might not have that option. So, people can lose control over their information pretty quickly. 

“Health insurance companies, life insurance companies, long-term care insurance companies, car insurance companies, and pharmaceutical companies likely have an interest. There might also be interest from government entities and academic researchers. I think it’s important to keep in mind that companies like 23andMe are probably making most of their money by selling data and not by selling test kits!” 

While Dr. Iltis believes it is unlikely for stricter regulations to be put in place for private genetic testing sites like 23andMe, she expressed the importance of providing clear and extensive information on the policies of these companies that can help people make more informed decisions about these services. “I think one reason these sites appeal to people is that they give individuals a sense of control over their own information – they can get genetic information from the comfort of their home without needing to go to a healthcare professional or through an insurance company,” said Dr. Iltis. “Empowering people to make choices in light of current information might appeal to people who want to retain a sense of control over themselves.”  

As uncertainty looms over the fate of 23andMe, Attorney General Jackson continues to monitor the situation. “My office is watching 23andMe closely to see how they navigate these next steps and what actions the court takes to protect North Carolinians’ data,” he said. “We’re going to do everything in our power to protect people’s private information.” 

While it is ultimately an individual decision to delete one’s 23andMe account to protect their data, it is important to be informed and educated about the policies and ramifications that go into services such as these. 

For those who are interested in deleting their 23andMe data, they can refer to the following steps on how to remove their account:  

*Log into your 23andMe account.   

*Follow instructions here if you want to destroy your test sample or revoke permission for your genetic data to be used for research.   

*Under your account profile, click on “Settings.”  

*Scroll down to “23andMe data” and click on “View.”   

*Select “Delete data.”  

*Click “Permanently delete data.” 

*Follow instructions to confirm your request to delete your data.  

Once you confirm your request, 23andMe will immediately and automatically begin the deletion process and you will lose access to your account.