23 and Me: A Cautionary Tale

In the last two years, the genetic testing behemoth 23 and Me has undergone a stark and unprecedented reversal in fortunes. As recently as 2023, it was a highly respected organisation whom the hoi polloi and experts alike turned to in their moment of curiosity. At its zenith, the company was worth $6 billion [1]. However, its fall from grace began as a consequence of a massive security breach, which was eminently avoidable. Towards the end of 2023, a total of 6.9 million DNA records were stolen [2]. Curiously, it appears that those of Ashkenazi Jewish and Chinese extraction were singled out [3]. One might argue that this was a surgical strike involving a degree of pre-meditation. There is scant detail available on who the culprits were, but it is highly likely they were a criminal element seeking to capitalise and profit on a vast swathe of personal data. 

To be forewarned is to be forearmed. Today's organisations are heavily reliant on cyber space and suitable defensive posturing such as robust Anti Virus, Mandatory password resets and Multi Factor Authentication are commonplace. However, IT is seen as an ancillary service; it is not financially generating in its own right and therefore it impinges on available budgets, Organisations, particularly of the private commercial ilk, are loath to part with money especially if there is no perceived return. Unfortunately, this is a heavily flawed rationale. My mantra has always been that pursuing a cheap policy ends up being expensive. 23 and Me certainly discovered this. If more robust and proactive systems had been in place they may have avoided the debacle that unfolded. Once this transpired, they had lost their reputation - an element that transcends financial worth and often proves fatal.

Current regulations stipulate that it was incumbent upon 23 and Me to publicly acknowledge the attack [4]. The announcement was akin to plunging the proverbial dagger into the heart of the business. The company’s value went into freefall. By March 2025,  23 and Me decided to petition for bankruptcy [5]. Shortly thereafter the CEO, Anne Wojcicki, stepped down. 

Implications

The current state of affairs has wide ranging implications most notably for the company's remaining client base.The fact that 23 and Me’s assets are on sale, including its highly treasured DNA catalogue, engenders a sense of grave uncertainty. Any future custodian may not be bound by the same legislation or ethical standards as 23 and Me. 

The point was not lost on the Attorney General of California, Rob Bonta who advised the extant consumer base to request that their data be expunged. That message gathered traction and was echoed throughout the US and the World [6]. Although Bonta’s missive originated from a place of genuine concern, 23 and Me had difficulty in meeting the unprecedented wave of demand. IT systems buckled under the sheer weight of consumer traffic and inevitably it took time to remedy.  This understandably caused annoyance and cynicism in equal measure [7]. There are those who will testify that the removal of personal data is neither a seamless or straightforward process.   

The Can of Worms

The famous adage reads that our children are the monument to our existence. With the advent of the internet this is only partially true.  Every time we access cyber space we leave a signature of our presence. This may range from a rudimentary web search to the article I am presently composing.  The all important question is what happens to this data trail once I shed my mortal coil? There are simply no satisfactory answers.

23 and Me is faced with this perplexing quandary and any future sale will cause ripples. There is little doubt that since its inception in 2006, clients have passed away. Unless they expressed a desire regarding their data, 23 and Me is not under any obligation and the information remains strictly within their purview. Ethical dilemmas will also surround those who are incapacitated.

Indeed the list is by no means exhaustive. An additional consideration pertains to those seeking their parentage. It is quite plausible that any future buyer may alter existing contract terms. A more stringent approach would make investigations increasingly complex and convoluted. 

As with all things, only time will answer these questions.

SOURCES

1. Winkler, Rolfe (January 31, 2024). 23andMe's Fall From $6 Billion to Nearly $0. https://www.wsj.com/health/healthcare/23andme-anne-wojcicki-healthcare-stock-913468f4 Wall Street Journal

2. Joe Hernandez (March 24, 2025) 23andMe is filing for bankruptcy. Here's what it means for your genetic data https://www.npr.org/2025/03/24/nx-s1-5338622/23andme-bankruptcy-genetic-data-privacy  NPR Morning Edition

3. Lily Hay Newman 23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews in Wired 6th September 2023 https://www.wired.com/story/23andme-credential-stuffing-data-stolen/ 

4.  Eyal Grunner HIPAA Breach Notifications: Everything You Need to Know, Cynet (Updated: November 27, 2024) https://www.cynet.com/cynet-for-compliance/hipaa-breach-notifications-everything-you-need-to-know/ 

5. A site dedicated to bankruptcy proceedings can be found at https://restructuring.ra.kroll.com/23andMe/ 

6. Chrisy Bieber (March 30, 2025)  23andMe CEO resigns as bankruptcy raises fears over user data Moneywise, YahooFinance

https://finance.yahoo.com/news/23andme-ceo-resigns-bankruptcy-raises-113300947.html?guccounter=1&guce_referrer=aHR0cHM6Ly90aGVoZWFsdGhjYXJldGVjaG5vbG9neXJlcG9ydC5jb20v&guce_referrer_sig=AQAAAEXooCmWSgOD46PYgCYAOyn51w7IbjX714wVIds1RsIJbu_CN_B9l9Y7DD2e_xuSLprYg1CAzNGaFlS6dVzkCZiZ-CLrTBhfkCLK_hZvngzx4mWYca7v0lSp68IOMGKVtNRtBFaNpGyoLIrirk06Hn4c6eEQJ-TbDQkMarrHBFNt 

7. 23andMe Faces Uncertain Future Amid Bankruptcy and CEO Resignation (April 22, 2025) https://thehealthcaretechnologyreport.com/23andme-faces-uncertain-future-amid-bankruptcy-and-ceo-resignation/