23andMe must secure its DNA databases immediately

23andMe, born from the techno-optimism of the Human Genome Project, revolutionized direct-to-consumer genetic testing. But with its valuation now in freefall, mounting layoffs and its board resigning en masse, 23andMe’s imminent failure raises a critical question: What will happen to the sensitive genetic data of its 15 million customers?   

This is not just 23andMe’s reckoning; it’s a warning for the customers of the entire direct-to-customer endeavor, which has long struggled to balance rapid innovation and profits with robust consumer protections. Your DNA — an immutable blueprint of your identity — could be sold, shared with unknown entities or exploited for targeted advertising and product development without your consent.

Beyond these personal risks, shared genetic data can even expose family members to unforeseen vulnerabilities, from stigmatization to medical and insurance challenges. As AI advances genomic analyses, the potential for misuse grows, amplifying risks of discrimination and exploitation that could span generations. 23andMe’s struggles demonstrate that the safeguards for protecting this deeply personal information are alarmingly fragile. 

The downfall of 23andMe highlights the hidden costs of its earlier success. The recent $30 million settlement over 23andMe’s data breach underscores the industry’s failure to safeguard sensitive information. Even so-called "anonymous" DNA can be re-identified through public databases, as seen in cases like California’s Golden State Killer investigation.  

23andMe and its peers amassed vast genomic databases, but as these databases become commodified assets in corporate failures, public trust erodes. Regulatory frameworks must prioritize long-term reliable privacy and ethical stewardship over short-term market volatility, ensuring genomic data serves as a public good, not a profit-driven commodity. 

23andMe’s current predicament highlights the urgent issue of genomic data ownership. The data belongs to 23andMe to sell. U.S. courts treat biological samples as corporate property, and the EU Data Act arguably grants companies ownership of derived genomic data. Fragmented state laws and loopholes in the Protecting Americans’ Data from Foreign Adversaries Act exacerbate the risks.

If 23andMe’s database is divided and sold, the potential for misuse — particularly by foreign entities with weak privacy protections or adversarial intentions — is deeply concerning. Such entities could exploit DNA from relatives of high-profile individuals, including presidents and military leaders, revealing vulnerabilities with far-reaching strategic implications. 

Stronger public-private partnerships could address some of these risks. Collaborations between private companies and public institutions can create centralized, secure genomic databases. By treating genetic information as a shared public resource, such partnerships could combine private innovation with public accountability, setting clear standards, protecting infrastructure and restoring trust in personalized medicine. 

Ultimately, regulations must recognize the uniqueness of DNA compared to other types of data. Policies should regulate the entire lifecycle of genetic information, from its collection to storage and potential sale. Clear, explicit opt-in consent, independent oversight of corporate practices and strict penalties for breaches are critical. At the same time, responsible companies should be empowered to provide meaningful health insights, ensuring the continued value of genetic data collection while maintaining transparency in data-sharing practices and investing in strong technologies to keep genetic information secure. 

Large DNA databases hold tremendous potential to advance medicine, offering statistical power for breakthroughs in linking genetics and disease. Private companies like 23andMe have often outpaced public efforts in scale and speed. However, without consistent regulation and sustainable business models, these advancements risk being overshadowed by privacy breaches and eroding public confidence. With clear, enforceable regulations, the potential sale or acquisition of the 23andme data would be far less perilous, ensuring that the benefits of genomic research are achieved without compromising personal security or trust. 

To protect the sensitive genetic data of millions and restore trust in genomic innovation, we must implement clear, enforceable privacy protections. Robust regulations are essential to ensure individuals can confidently contribute to genomic research without fear of misuse or exploitation.  

The collapse of 23andMe serves as a stark warning: without these safeguards, we jeopardize not only personal security but also the future of genomic breakthroughs, undermining the very optimism that once propelled this industry forward. 

Dov Greenbaum is professor of law at Reichman University and lecturer in biomedical informatics and data science at Yale University. Mark Gerstein is Albert L Williams Professor of Biomedical Informatics and professor of molecular biophysics and biochemistry, of computer science, and of statistics and data science at Yale University.