The fate of more than 15 million customers’ genetic data remains in limbo after popular DNA testing company 23andMe filed for bankruptcy in March. The data is up for sale, stoking fears about how it might be used and prompting attorneys general from more than a dozen states to warn 23andMe users: Delete your data.
“Your genetic data is your most personal, confidential data, and you should be able to protect who has access to it,” North Carolina Attorney General Jeff Jackson, a Democrat, said in a March statement.
“You have the power to delete your data now — please act quickly.”
Dr. Adam Brown, a Washington, D.C.-based emergency physician and the founder of a health care strategy firm, deleted his information on 23andMe as soon as he learned of the bankruptcy filing, he told Stateline.
For him, the bankruptcy begs a vital question that federal and state laws don’t fully address: What happens to your genetic data when the company holding it collapses?
Federal protections are flimsy. States have beefed up their genetic privacy laws in recent years, but many experts say they don’t go far enough.
23andMe has said the bankruptcy will not change how it stores, manages or protects its trove of sensitive customer information. In a news release issued shortly after the bankruptcy announcement, the company said any potential buyers would have to agree to comply with 23andMe’s consumer privacy policy and all applicable laws. When contacted by Stateline, the company declined to comment beyond what it has published in news releases and information it posted for customers on its website.
But once the data is in the hands of another company, that company could change its privacy policy at any time, experts noted.
“Once you get to the point of bankruptcy court, there may not be those same guarantees or the same ethos a new company may have around privacy protections for consumers,” Brown said.
“I want people to understand there actually are not a lot of data privacy protections for consumers, especially for these direct-to-customer-type businesses.”
How to delete your 23andMe data
• Log in to your 23andMe account on 23andme.com.
• Under your profile, click “Settings.”
• Scroll to the “23andMe Data” section.
• Click the “View” button.
• If you want a copy of your genetic data, choose the option to download it to your device before proceeding.
• Scroll to the “Delete Data” section.
• Click “Permanently Delete Data.”
• Check your email for a confirmation email from 23andMe, then follow the link in the email to confirm your deletion request.
• If you previously opted to have your saliva sample and DNA stored by 23andMe but want to change that preference, you can do so from your account settings page, under “Preferences.”
• If you previously consented to 23andMe and third-party researchers using your genetic data and sample for research purposes, you can withdraw that consent from your account settings page, under the “Research and Product Contents” section.
If you have concerns, you can contact your state attorney general’s office. Find yours at www.naag.org/find-my-ag/.
Source: Office of the Attorney General for the District of Columbia
HIPAA, the Health Insurance Portability and Accountability Act, doesn’t apply to companies like 23andMe. The landmark federal law protects patients’ sensitive health information when it’s handled by doctors, hospitals and health insurers. But direct-to-customer companies such as 23andMe or Ancestry aren’t considered health care providers, and their non-invasive saliva collection kit isn’t considered a medical test.