DNA sales create a new kind of market panic

DNA testing has become an invaluable tool for enthusiasts and novice genealogists. For some, knowing that they are Paul Libya’s tenth cousin or the 15th great nephew, who has been deleted four times from the last king of Prussia, is worth the risk of sharing DNA samples. But what happens when the DNA harvesting company goes bankrupt?

That was the problem that came to millions of Americans last week when 23andMe, a company that popularized genetic testing in consumers and supported early from Google, filed for bankruptcy and called on Americans to remove DNA from the company’s database.

It’s not 100% clear whether the “DNA Deletion” call was justified, but privacy experts are worried, and Americans who have undergone genetic testing have taken advice to heart.

On March 24th, the day it announced its bankruptcy, 23andme had risen 526% from a day ago, according to data from online traffic analytics firm Sirseweb. According to SimaryWeb, 376,000 visits have been made to assist pages specifically related to data deletion, and 30,000 have been made to the customer care page due to account closure. The next day, that figure rose to 1.7 million visits, and the deleted data became rraffic to delete about 480,000 pages.

Margaret Who, a law professor at the Digital Democracy Lab at William & Mary Law School, believes that Americans have made the right move. “This development is a data privacy disaster,” Hu said. In her view, 23andMe bankruptcy should serve as a warning about why the federal government needs strong data protection laws.

In some states, governments play an active role in consumer counseling, Hu noted. The California Attorney General’s Office is urging Californians to delete data and destroy saliva samples to 23AndMe. But Hu says that it’s not enough and that such guidance should be provided to all US citizens.

The potential national security impact of 23andme’s data falling into the wrong hands is not new. In fact, the Pentagon had previously warned military personnel that these DNA kits could pose a risk to national security.

Exposing DNA collected from consumers is not a new issue for 23andMe either. In 2023, around 7 million people who had undergone genetic testing had already been exposed to a major data breaches of 23andME. The company has signed an agreement with a $30 million settlement and three years’ worth of security surveillance promise.

But Hu says bankruptcy creates a company and its data is particularly vulnerable.

Drug research and genetic testing data

As the market for consumer sales of popular DNA test kits reached saturation earlier than most people expected, 23andMe has moved to a research and development partnership with pharmaceutical companies as a way to diversify revenue.

Currently, when 23AndMe sells genetic data to other research companies, most are used at the aggregation level, as some of the millions of data points are analyzed in most cases. The company also removes identification data from genetic data and does not include registration information (such as names or emails). Data researchers such as date of birth are stored separately from genetic data and shared with randomly assigned IDs.

Hu is one of the experts concerned that these practices could change under 23andme or new buyers. “In an age of financial fragility, companies such as pharmaceutical companies may have the opportunity to leverage research benefits from genetic data,” Hu said, adding that they may try to renegotiate previous contracts to extract more data from the company. “Will the next company that buys 23andme do that?” Hu said of its privacy policy.

More recently, 23andme said it would try to find buyers who share privacy values.

23Andme did not respond to requests for comment.

Over the years since the establishment of 23AndMe in 2006, many clients were happy to send swabs to learn more about the family history. Elaine Brockhouse, 70, and her family, from Lansing, Michigan, were excited to learn more about the lineage when they submitted their DNA samples to 23AndMe. But as the company is now bankrupt and privacy experts are concerned about what will happen to millions of people with DNA samples, Brockhouse says it’s all “caused a bit of a stir in my family.”

“We enjoyed 23 and some aspects of me,” Brockhouse said. “They were able to continually refine and renew our heritage and better identify genetically relevant groups as more people joined,” Brockhouse said. She was able to learn more about health risk factors that had or had not existed in the past.

Now, her family is completely in circles with her 23andMe experience. Some members initially reluctant to go with them, and now Brockhouse says that everyone has deleted their accounts.

Unique companies collapse, but daily cyber risks

However, Brockhaus continues to see 23andMe within the larger consumer health market, where health information is shared in all kinds of environments where risks are not new and security issues can arise. “Everyone who sends coroguards through mail or receives medical results is at risk of exposure,” Brockhouse said. “Our identity can be stolen with some keystrokes. Of course, this doesn’t mean we reach out and agree to become victims, but we need to be vigilant, aggressive, but not panic unless we want to dig a hole and live there,” she added.

John Clay, vice president of threat intelligence at cybersecurity firm Trend Micro, says 23andMe consumers need to view bankruptcy as a threat. In the sales process, if data is not transferred and protected in the safest way possible, there is a risk that malicious actors will use it for many malicious purposes,” he said.

Clay believes 23andme’s data is invaluable to cybercriminals. That’s not only because it’s permanent and personally identifiable, but because it can be used for identity theft, intimidation, or even medical fraud.

“Cybercriminals can use it to target consumers with persuasive fraud or social engineering tactics. For example, someone could claim that they are blood in relation to another person or send deceptive messages about potential health risks,” Clay said. “Bankruptcy organizations should ensure that the security and privacy of their customers’ data is important and do not share or sell data with others,” he added.

However, other experts say the lessons from 23AndMe are not about privacy threats than act as reminders about the company’s collapse and everyday cyber hazards associated with personal information.

“When people start talking about personal data, they forget where their data is already sitting,” says Rob Lee, director of research at the SANS Institute and specializes in helping businesses with information security and cyber issues. Whether you send blood samples to a private lab or remove your laptop and upgrade to a new wrap, “Your digital footprint is left there for people to find,” Lee said. “People don’t understand scope, so there’s a bigger debate, especially about where the data goes.”

With DNA information, there are certain basic legal factors to weigh before people smear themselves and send samples.

According to Lynn Sessions, Bakerhostetler, a healthcare privacy and digital asset expert and a partner at law firm Bakerhostetler, has not applied to this situation, with 23AndMe not considered an HIPAA-covered entity or a single business associate. However, there are state laws, like California, that apply to playing genetic information.

Meredith Schnur, managing director and cybersecurity leader at insurance company Marsh, believes the risk of 23andme bankruptcy to those sent to the swab is relatively low. “It doesn’t cause any additional surprises or heartburn,” Schnoor said. “I don’t think it opens up any additional risks that don’t exist yet,” she said. He added that many people’s information is “already there.”

However, bankruptcy itself is a difficult issue to ignore, and questions remain until the sales process is complete.

“When you’re in bankruptcy, the value of data privacy is not what you really think. You’re thinking about selling your company to the highest bidder,” Hu said. Hu, that top bidder, says they may retrieve genetic data and consumer profile data and link them when selling to others.

And the first sale containing the DNA of millions of people may be the first of many deals.

“It could sell a handful of it indiscriminately, and the buyer of that data could be the enemy of a foreign country,” Hu said. “That’s why this isn’t just a data privacy disaster, it’s also a national security disaster.”