The financial struggles of genetic testing and ancestry company 23andMe are raising questions about the security of customers’ DNA and other data.
The company announced Monday that it would lay off around 40% of its workforce — about 200 employees — and close its drug development arm in an attempt to cut costs.
On Tuesday, 23andMe released its latest earnings report, showing revenue dipped 12% in the last quarter and share prices fell.
The company has faced additional struggles over the past several months, including the resignations in September of the seven independent directors of the board.
Since its founding in 2006, 23andMe has sold more than 12 million of its DNA kits, which use a saliva sample to extract DNA that is then analyzed, according to the company’s website.
Here are four questions answered about 23andMe and users’ data.
1. What has 23andMe said about customers’ genetic data amid its struggles?
A 23andMe spokesperson told ABC News the company had no further comment when asked Wednesday how the company’s business turmoil may impact customers’ personal data.
The company states on its website that it does not sell or share customer’s personal information to third parties without the customer’s consent, that it does not voluntarily share data with law enforcement, and that it provides an opt-in option for customers who want to participate in research.
2. Is the genetic data collected by 23andMe protected in the same way as health records?
No. 23andMe is considered a direct-to-consumer genetic testing company, and transactions with the company are considered commercial, not medical.
Because 23andMe is not a medical company, customers’ personal information is not protected under the HIPAA Privacy Rule, which affords privacy protections to health records.
3. Has 23andMe had data breaches before?
In 2023, the company experienced a massive security breach that exposed the data of nearly 7 million users.
23andMe said at the time that customer profile information shared through the company’s DNA Relatives feature had been accessed without authorization.
The company agreed in October to pay a $30 million cash settlement in a class-action lawsuit stemming from the data breach, according to The Associated Press.
Following the breach, the company also said it required every customer to reset their password and began requiring all customers to use two-step verification for login.
4. Is there anything consumers can do?
As a general rule, consumers who have shared their DNA with any direct-to-consumer genetic testing company should pay attention to the company over the years, as companies have the right to change their privacy policies and business practices.
Companies, 23andMe included, also have a responsibility to notify consumers of changes and get “consumers’ affirmative express consent for any new uses of their data,” according to the Federal Trade Commission, the government agency that conducts oversight of direct-to-consumer genetic testing companies.