23andMe bankruptcy raises concerns for genetic data safety

The recent filing for bankruptcy by consumer genomics company 23andMe has raised significant concerns regarding the future of sensitive genetic data entrusted by its over 15 million customers.

As the company undergoes bankruptcy proceedings, experts are voicing apprehensions about data privacy, security, and the potential implications for consumers who have used the service to learn about their ancestry and genetic predispositions.

Gabrielle Hempel, a Security Operations Strategist at Exabeam, highlighted the inseparable nature of genetic data from personal identity. "You can't de-identify genetic data," she explained, noting the uniqueness of an individual's genome. When companies like 23andMe face financial distress, not only assets but also "millions of irreplaceable, irrevocable data sets" are at risk of being transferred to new owners. Hempel stressed the need for biotechnology to reconsider data stewardship and enforce sector-specific regulations that treat genetic information with heightened care, akin to healthcare standards.

Randolph Barr, Chief Information Security Officer at Cequence, shared similar concerns. He urged consumers to rigorously inspect 23andMe's privacy policy to understand what customer data may still be retained even after attempting to delete accounts. He suggested practical steps for users, such as confirming consent settings and initiating account deletion if they are concerned, though acknowledged some data might legally be required to remain with the company.

The potential sale or transfer of genetic profiles as part of bankruptcy asset liquidation has also sparked fears regarding misuse of the data. Nick Tausek, Lead Security Automation Architect at Swimlane, warned of a "nightmare scenario" where health insurers or data brokers could purchase the data. This could lead to the development of algorithms that discriminate or make unfounded health assessments, undermining customer trust in the capabilities and objectives of data buyers.

Andrew Costis from AttackIQ added that genetic information, if misused, could exacerbate privacy risks and potentially entail identity theft. Moreover, should an insurer acquire such data, there is a risk of discriminatory practices based on genetic information, contrary to health privacy norms.

These expert insights reflect broader ethical and regulatory challenges facing the biotechnology industry amidst this corporate financial shakeup. There is a consensus on the necessity for stringent legislative frameworks that address the unique nature of genetic data. These frameworks should ensure secure handling, transfer, and potential deletion of sensitive personal information when corporate entities face instability.

As 23andMe navigates bankruptcy proceedings, the focus intensifies on the importance of robust data privacy measures and transparency about consumers' rights concerning sensitive information. Such developments will likely influence future policy directions, with an emphasis on embedding stronger protective measures into legal structures governing genetic data management.