By Bhanvi Satija and Siddhi Mahatole
(Reuters) -New York Attorney General Letitia James on Tuesday urged 23andMe customers to secure their data in light of rising privacy concerns after the DNA testing firm filed for bankruptcy amid declining demand for its services.
Uncertainty surrounding the company’s future and worries about potential data management by a new owner drove users to delete their accounts as a privacy safeguard, with many sharing detailed instructions on social media.
Shares of 23andMe, which filed for bankruptcy on Sunday, closed 11% lower at 65 cents. The stock declined 59% on Monday.
“Our website experienced some issues and delays due to increased traffic yesterday. As of today (Tuesday), those issues have been resolved. If anyone has any issues in regards to accessing their account or deleting their data, they can go to our customer care site for support,” a 23andMe spokesperson said.
The company’s saliva-based tests provide information on a user’s ancestry and whether they might be at genetic risk for certain diseases.
23andMe has made at least 30 deals with companies including British drugmaker GSK, allowing them to access its database. Most of its agreements remain undisclosed.
“Genetic data isn’t just a bit of personal information — it is a blueprint of your entire biological profile. When a company goes under, this personal data is an asset to be sold with potentially far-reaching consequences,” NordVPN cybersecurity expert Adrianus Warmenhoven said.
With more than 15 million customers, 23andMe’s genetic database was a “digital goldmine”, Warmenhoven said.
The company has said the bankruptcy process will not affect how it stores, manages or protects customer data.
If 23andMe changes ownership, its data will remain protected under its current privacy policy “unless and until you are presented with materially new terms, with appropriate advanced notice to review those material changes as required by law”, the company’s website said.
The law is not clear on whether a new buyer would need to give consumers a chance to opt out, according to I. Glenn Cohen, director of Harvard Law School’s Petrie-Flom Center.
“I assume that users will be filing lawsuits against the company to seek protection of all such data… outcomes of such suits (are) not yet clear,” said Robert Klitzman, director of the Masters of Bioethics program at Columbia University School of Professional Studies.
It was reported last year that 23andMe would pay $30 million and provide three years of security monitoring to settle a lawsuit accusing it of failing to protect the privacy of 6.9 million customers whose personal information was exposed in a 2023 data breach.
However, 23andMe said in January that the settlement was not unconditionally approved by the United States District Court for the Northern District of California.
Withdrawing data from the company’s website does not fully protect information since 23andMe’s business has been to sell its database, with user data, to other biotech and pharmaceutical companies for several million dollars, according to Klitzman.
“You can protect your financial information, such as your credit card number, if hacked, by getting a new card. But your DNA is permanent – you cannot change it… Better laws are therefore needed to ensure that companies adequately protect this valuable information,” Klitzman said.
California Attorney General Rob Bonta also urged customers on Friday to delete their genetic data, citing 23andMe’s financial distress.
James said users could change their preferences in their account settings if they had previously opted to have their saliva samples and DNA stored by 23andMe.
Customers could withdraw consent even if they had previously agreed that the company and third-party researchers could use their data and samples, she said.
(Reporting by Bhanvi Satija, Siddhi Mahatole, Puyaan Singh in Bengaluru and Brendan Pierson in New York; Editing by Shilpi Majumdar, Alan Barona and Pooja Desai)
