In what could become a defining moment for consumer privacy in the digital age, 23andMe --- the once high-flying genetics testing company -- filed for bankruptcy Sunday, placing the deeply personal data of more than 15 million customers into precarious legal and ethical limbo.
The move has prompted warnings from state officials and cybersecurity experts alike, who are urging users to delete their data before it can be sold, mishandled, or exposed to malicious actors.
“I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company,” said California Attorney General Rob Bonta in a privacy alert issued Friday.
Bonta’s warning comes on the heels of 23andMe’s Chapter 11 filing, which enables the company to restructure and potentially sell off assets — a category that may include users' genetic data. According to 23andMe’s own privacy policy, if the company undergoes a sale or reorganization, “your Personal Information may be accessed, sold or transferred as part of that transaction.”
From Genomics Pioneer to Privacy Flashpoint
Founded in 2006, 23andMe ushered in an era of consumer DNA testing with sleek saliva kits and promises of ancestral insights and personalized health reports. The company went public in 2021 with a $6 billion valuation, but a perfect storm of cash burn, declining consumer interest, and mounting security challenges whittled its value down to roughly $50 million by 2024.
One of the final blows came in late 2023, when nearly 7 million users were affected by a breach in which attackers exploited reused passwords to access sensitive ancestry and profile data — a chilling glimpse into the vulnerabilities inherent in genetic data storage.
“This news underscores the critical importance of robust data security measures in the healthcare sector,” said Chris Sault, Director of Healthcare at Ping Identity. “In late 2024, nearly seven million people were affected by a security breach that shared sensitive DNA ancestry data with malicious actors. As companies navigate transitions like this, safeguarding sensitive genetic information and personal health data (PHI) must remain a top priority.”
Sault emphasized that advanced privacy-enhancing technologies — such as zero trust architecture and decentralized identity frameworks — are no longer optional luxuries but necessary guardrails in an increasingly volatile digital health landscape.
“The potential exposure of such data not only poses significant privacy risks but also erodes patient trust,” he added. “Healthcare organizations must proactively adopt advanced security strategies to protect patient data, ensuring resilience against cyber threats and maintaining the integrity of our healthcare systems.”
DNA on the Auction Block?
One of the most unsettling dimensions of 23andMe’s bankruptcy is the question of what happens to the company’s most valuable asset — its database of millions of genetic blueprints.
“The bankruptcy filing of 23andMe raises a pressing issue about the fate of its highly sensitive genetic data, which is now at risk of being sold off or mishandled,” said Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka. “Genetic data, being immutable and deeply personal, has always been a prime target for misuse. Now, the fate of millions of DNA profiles hangs in the balance.”
Sood warned of chilling possibilities that go far beyond traditional data breaches. DNA profiles, he said, could be weaponized for identity theft, genetic discrimination, and even bio-targeted cyberattacks.
“Adversaries could potentially launch medical identity theft using stolen genetic data to impersonate individuals for fraudulent medical treatments or prescriptions,” Sood explained. “The potential for targeted bio-threats, enabled by advances in biotechnology and gene-based medicine, is not a distant possibility but a real and immediate danger.”
He further noted the broader implications of genetic data exposure — from scams leveraging family connections to phishing attacks designed to exploit familial ties. “This situation underscores the critical need for organizations to deploy robust security controls… ensuring this sensitive information remains protected. The urgency of this issue cannot be overstated.”
What You Can Do — Right Now
23andMe has stated there will be “no changes” to how it protects consumer data during the bankruptcy process. But privacy experts and regulators say users shouldn’t take that on faith. Thanks to laws like the California Consumer Privacy Act (CCPA) and Genetic Information Privacy Act (GIPA), you have the legal right to request deletion of your data and biological samples — and now may be the time to act.
Here’s how to delete your genetic data from 23andMe:
Log into your 23andMe account.
Navigate to Profile → Settings.
Scroll to “23andMe Data” and click “View.”
Download your data if desired (be sure to store it securely).
Scroll to “Delete Data” and click “Permanently Delete Data.”
Confirm via the email link sent by 23andMe.
Deleting your data also triggers sample destruction and removes you from any research programs.
A Crossroads for Genetic Privacy
The collapse of 23andMe is more than a business story — it’s a moment of reckoning for digital health and personal data sovereignty. As consumers, we are increasingly being asked to trade deeply intimate information for convenience and insight — often with little understanding of how that data may outlive the companies we trust with it.
Until now, most people treated genetic privacy as an abstract concern. But the 23andMe bankruptcy makes the consequences disturbingly real.
And if our DNA is up for sale, we might finally need to ask: who owns you?