23andMe filed for Chapter 11 bankruptcy Sunday, leaving the fate of millions of people’s genetic information up in the air as the company deals with the legal and financial fallout of not properly protecting that genetic information in the first place. The filing shows how dangerous it is to provide your DNA directly to a large, for-profit commercial genetic database; 23andMe is now looking for a buyer to pull it out of bankruptcy.
23andMe said in court documents viewed by 404 Media that since hackers obtained personal data about seven million of its customers in October 2023, including, in some cases “health-related information based upon the user’s genetics,” it has faced “over 50 class action and state court lawsuits,” and that “approximately 35,000 claimants have initiated, filed, or threatened to commence arbitration claims against the company.” It is seeking bankruptcy protection in part to simplify the fallout of these legal cases, and because it believes it may not have money to pay for the potential damages associated with these cases.
CEO and cofounder Anne Wojcicki announced she is leaving the company as part of this process. The company has the genetic data of more than 15 million customers.
According to its Chapter 11 filing, 23andMe owes money to a host of pharmaceutical companies, pharmacies, artificial intelligence companies (including a company called Aganitha AI and Coreweave), as well as health insurance companies and marketing companies.
The filing is a devastating reminder that once you give your genetic information to a company like 23andMe, there is no way to have any clue what is going to happen to that data, how it is going to be analyzed, how it is going to be monetized, how it is going to be protected from hackers, and who it is going to be shared with for profit. Sharing your own DNA with 23andMe also necessarily implicates your close family members, who may or may not want their genetic information submitted to a company that is financially precarious and sitting on a trove of highly sensitive information.
On Friday, California Attorney General Rob Bonta issued an “urgent” alert to 23andMe customers telling them to ask the company to delete their data and destroy their genetic samples under a California privacy law: “Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.”
Other genetic sequencing companies have shared customer information with police and governments, pharmaceutical companies, and health insurers. GED Match, a non-profit that once claimed it would protect customers’ genetic data, was sold to a for-profit company called Verogen, which works with the FBI and was later sold to a Dutch multinational conglomerate. Police now regularly attempt to identify suspects using information pulled from commercial genetic databases like the one that 23andMe has created.
23andMe’s bankruptcy means that the company will be put up for sale, and there’s no way of knowing who is going to buy it, why they will be interested, and what will become of its millions of customers’ DNA sequences. 23andMe has claimed over the years that it strongly resists law enforcement requests for information and that it takes customer security seriously. But the company has in recent years changed its terms of service, partnered with big pharmaceutical companies, and, of course, was hacked.
In a letter to customers Sunday, 23andMe said “Your data remains protected. The Chapter 11 filing does not change how we store, manage, or protect customer data. Our users’ privacy and data are important considerations in any transaction, and we remain committed to our users’ privacy and to being transparent with our customers about how their data is managed.” It added that any buyer will have to “comply with applicable law with respect to the treatment of customer data,” which means essentially nothing because there are few laws that protect against the monetization of customer genetic data, as evidenced by the fact that other genetic databases proactively offer information to law enforcement and partner with big pharma.
The company now could be sold to anyone, and there is no way to know what that buyer will want to do with the reams of genetic information it has collected. Customers, meanwhile, still have no way to change their underlying genetic data.
Jason is a cofounder of 404 Media. He was previously the editor-in-chief of Motherboard. He loves the Freedom of Information Act and surfing.
