The Troubling Privacy Issues Surrounding 23andMe

By Greg Collier

In recent years, DNA testing has become mainstream, with companies like 23andMe offering consumers a window into their ancestry, health risks, and even potential family connections. However, as the company grapples with financial struggles and an uncertain future, customers are increasingly concerned about what might happen to their sensitive genetic data. With 23andMe’s future up in the air, it’s important to take a closer look at the privacy issues surrounding this service, particularly since it’s not bound by the same laws that govern your doctor’s office.

No HIPAA Protection for Your DNA

One of the most pressing concerns about 23andMe is that it operates outside the boundaries of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA exists to protect the privacy of your medical records when they are in the hands of healthcare providers. However, 23andMe is not classified as a medical provider, meaning it’s not required to adhere to the strict privacy regulations that govern hospitals and doctors.

This loophole has serious implications. Although 23andMe promises to protect customer data and obtain consent before sharing it with third parties, the company’s privacy policies make it clear that in the event of a merger or acquisition, all bets are off. Your genetic data, some of the most intimate information about you, could become a commodity in a corporate sale. And with 23andMe’s recent financial troubles, including a mass resignation from its board of directors and an ongoing downward spiral, the possibility of the company being sold is real.

If 23andMe sells, customers need to be aware that their DNA might be up for grabs as well. The new owner may not be as committed to privacy as 23andMe claims to be today. And according to the fine print in 23andMe’s privacy policies, the company reserves the right to update its policies at any time. In other words, once your genetic information is in the system, it could be subject to future changes that you did not anticipate when you first sent in your saliva.

What Happens if Your DNA is Misused?

The potential misuse of genetic data is vast. Insurers, for instance, might be interested in the secrets encoded in your genome. Though the Genetic Information Nondiscrimination Act (GINA) of 2008 protects against genetic discrimination in health insurance and employment, there are loopholes. Providers of life insurance, disability insurance, and long-term care insurance are not covered under GINA. If an insurance company got hold of your genetic information, it could use it to deny you coverage, based on your likelihood of developing a certain illness, even if you never actually get sick.

Law enforcement could also be interested in your DNA. While 23andMe says it requires a warrant to share data with police, other companies have been more lenient with law enforcement, leading to cases where innocent people’s DNA was used to implicate their relatives in crimes. And you don’t have to be directly involved to be affected. Since large chunks of our genome are shared with relatives, your DNA could lead police to a distant cousin who you’ve never even met.

A History of Privacy Breaches

Unfortunately, 23andMe’s track record on data security isn’t exactly spotless. In 2023, the company experienced a massive data breach, exposing the personal information of nearly 7 million customers. The hacker specifically targeted people with Chinese and Ashkenazi Jewish ancestry, and posted their information for sale on the dark web. Earlier this year, 23andMe agreed to pay $30 million to settle a lawsuit over the breach and will provide three years of security monitoring to affected customers.

While 23andMe claims to take privacy seriously, this breach, and the fallout, serves as a stark reminder of just how vulnerable your data can be. Once compromised, your genetic information cannot be ‘reset’ like a password. It’s out there, permanently. This is especially troubling given that our understanding of the genome is still evolving, and we cannot yet foresee all the ways this data might be used, or misused, in the future.

What Can You Do?

If you’re one of the 15 million customers who have already submitted your DNA to 23andMe, there are some steps you can take to protect yourself. First, review the company’s privacy policies carefully. Under certain state laws, such as those in California, you may have the right to delete your genetic data before a potential sale. 23andMe also allows customers to download their data and delete their accounts.

However, it’s important to recognize that once your genetic information is out there, it’s very difficult to fully retract it. For anyone considering using 23andMe or a similar service in the future, the risks might outweigh the benefits, especially when it comes to the potential misuse of your genetic data.

Final Thoughts

The promise of unlocking the secrets of your DNA is enticing, but it comes with significant privacy risks. 23andMe’s financial troubles only heighten these concerns, as the company may be forced to sell, leaving your sensitive data in the hands of unknown parties. And since 23andMe is not beholden to HIPAA laws, the protections that you might assume apply to your genetic data simply don’t.

In today’s rapidly evolving digital landscape, it’s more important than ever to be cautious with your personal information, especially when that information is as sensitive as your DNA.