In 2008, Time magazine named genetic testing company 23andMe and its at-home DNA testing kit the Invention of the Year. Eventually, about 15 million people signed up for it.
Sixteen years later and after a large data breach in 2023, the value of 23andMe has plummeted. That has prompted concerns that the company -- and all its users' genetic data -- could soon be up for sale.
Illinois has some of the strongest laws in the country when it comes to protecting biometric data, such as our fingerprints or DNA. That's why the genetic data of Illinois residents won't change hands easily, even if 23andMe is sold, experts told NBC 5 Responds.
At least a dozen states, including Illinois, have laws that would require 23andMe to obtain consent from users before transferring their data to another company.
"I think that Illinoisans have exceptionally strong protections that would prevent 23andMe from wholesale transferring their data to a third party," said J. Eli Wade-Scott, a partner at Edelson PC and one of the attorneys behind a class-action lawsuit filed on behalf of those impacted by last fall's data breach. "I don't know if that's 23andMe's view. And the company has not shared a lot of information about what happens if the company goes bankrupt or it's sold."
23andMe data breach
You can change your passwords, and you can even change your email address, but if a bad actor gets their hands on your genetic information, or the data in the tube of saliva you mail to 23andMe when you sign up, there's really nothing you can do.
Many people found that out the hard way after the company announced the data of almost 7 million users was compromised last October in a data breach.
"I think that when you're talking to people about this over the kitchen table, nobody's excited to now swab themselves and send that information off to a company that's shown that they can't be trusted to have it," said Wade-Scott.
The company told NBC 5 Responds that a threat actor accessed a select number of individual accounts through a process called credential stuffing. It claims there is no indication there was a data security incident within their systems, or that 23andMe was the source of the account credentials used in the attack.
Feeling out of the loop? We'll catch you up on the Chicago news you need to know. Sign up for the weekly Chicago Catch-Up newsletter.
But Wade-Scott explained why the company's subsequent actions raised even more privacy concerns for users.
"Immediately after the data breach or in the ensuing months, the CEO, as the company entered these financial struggles we're hearing so much about, did an interview where she expressed a lot of interest in offering up people's data to get more third parties for research, to try to get more cash for the company's bottom line," said Wade-Scott.
In a statement, the company told NBC 5 Responds CEO Anne Wojcicki is no longer "open to considering third party takeover proposals" and has pledged to maintain the company’s current privacy policy.
But per that privacy policy, if the company is involved in a "bankruptcy, merger, acquisition, reorganization or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction."
Meanwhile, the company has agreed to pay $30 million to settle the class-action lawsuit over last fall's data breach. However, Wade-Scott said the settlement has yet to be finalized.
How to delete your data from 23andMe
If you're concerned about your genetic data, it is possible to delete your information from 23andMe. Here's how you do it: log into your account and under "settings," go to "23andMe data," and select "delete your data."
Full statement from 23andMe:
23andMe’s Co-Founder and CEO Anne Wojcicki has publicly shared she intends to take the company private, and is not open to considering third party takeover proposals. Anne also expressed her strong commitment to customer privacy, and pledged to maintain our current privacy policy, including following the intended completion of the acquisition she is pursuing.
We have strong customer privacy protections in place. 23andMe does not share customer data with third parties without customers’ consent, and our Research program is opt-in, requiring customers to go through a separate, informed consent process before joining. Further, 23andMe Research is overseen by an outside Institutional Review Board, ensuring we meet the high ethical standards for the research we conduct. Roughly 80% of 23andMe customers consent to participate in our research program, which has generated more than 270 peer reviewed publications uncovering hundreds of new genetic insights into disease.
In addition to our own strict privacy and security protocols, 23andMe is subject to state and federal laws that are similar to or more protective than privacy and security program requirements in HIPAA. Although state privacy law protections apply to residents of certain states, 23andMe took the opportunity to make improvements for all 23andMe customers globally.
We believe we have a transparent model for the data we handle, rather than the HIPAA model employed by the traditional health care industry that allows broad exemptions and often unrestricted use and disclosure of protected health information (PHI) when used for treatment, payment and operations purposes, and where consent, opt-out and opt-in concepts are generally not imposed.
We are committed to protecting customer data and are consistently focused on maintaining the privacy of our customers. That will not change.
23andMe's Privacy Statement describes 23andMe's commitments and obligations to protect customers' personal information, including in the event of a change of ownership. 23andMe's Privacy Statement would continue to apply to data collected by 23andMe unless and until customers are presented with a new privacy statement by a new entity. Customers would need to be advised about any material changes to the Privacy Statement, and should have the right to opt-out under applicable law.