Delete personal 23andMe data, privacy experts urge users
The genetics company announced this week it was filing for bankruptcy and looking for a buyer to take over the firm.
Customers of DNA firm 23andMe should move quickly to ensure their personal data is deleted following the firm’s filing for bankruptcy in the US, cybersecurity experts have said.
Earlier this week, the genetics firm announced it had begun voluntary Chapter 11 proceedings in the US – meaning it intends to reorganise its debts and assets to have a fresh start, while remaining in business, and searching for a buyer.
Cybersecurity experts have now warned it means the genetic and biological data of 23andMe users could end up in the hands of a third party they did not previously authorise to access such information.
Adrianus Warmenhoven, a cybersecurity expert at NordVPN, said the saga was a “stark wake-up call for data privacy”.
“Genetic data isn’t just a bit of personal information – it is a blueprint of your entire biological profile. When a company goes under, this personal data is an asset to be sold with potentially far-reaching consequences,” he said.
“Consumers have no concept of how much information they are giving up when they sign up to these innovative biotech companies.
“A simple DNA test doesn’t just potentially disclose ancestry – it could reveal genetic predispositions to disease, family relationships, and biometric signatures that could be used by insurers, employers, or even governments.
“With over 15 million consumers worldwide, 23andMe’s genetic database is a treasure trove of personal information – a digital goldmine that might turn into a bankruptcy sale asset.
“While medical records held by US companies are shielded under the Health Insurance Portability and Accountability Act, genetic information occupies a legal limbo.
“Almost 80% of customers have consented to be involved in medical research, meaning their DNA information could be passed on to new owners with little supervision.
“However, it’s worth bearing in mind that UK customers might have less protection.”
23andMe users can request to have their DNA sample destroyed, and have options to opt-out of a number of other research and product-related aspects of the service, as well as completely delete their account.
However, 23andMe’s privacy statement says that even if users choose to delete their account, the company retains some personal information in order to comply with its “legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes”.
According to the statement, the company and its contracted genotyping laboratory will retain genetic information, date of birth and sex as part of this.
Mr Warmenhoven said the “first reaction” of users should be a “total digital amputation”, and suggested concerned users should directly contact the firm to push for their data to be deleted.
“Ask for the destruction of your genetic sample, revoke all research permissions immediately and only then should you shut your account,” he said.
“Data permissions are no longer a one-way street – laws such as UK GDPR protect you here and give you the right to request data deletion. Make sure to cite this in any communications with 23andMe.
“You could try sending an email to customer services stating: ‘I am requesting the erasure of all my personal and genetic data held by 23andMe, in accordance with the UK General Data Protection Regulation (Article 17). Please confirm once this has been completed.’”
Collin Walke, a US-based cybersecurity and data privacy expert – and a partner at law firm Hall Estill, said the saga highlighted the perils of handing over personal data – especially health and genetic data.
“The 23andMe bankruptcy proves the problem: Once you give away the most personal aspects of yourself such as your genetic profile to third parties, you are literally losing control over information that can be exploited and used to you and your family’s detriment,” he said.
“Would you want your child’s diagnosis in the hands of bad actors? What about your personal medical information? You may have agreed to allow 23andMe to run your profile, but what about the company that buys 23andMe out of bankruptcy? Do you trust them?”
