Millions of people have spat into test tubes for ancestry companies but now there are questions being asked about what might happen to their DNA.
After a data breach, a sinking share price and mass board resignations, the chief executive of the Californian personal genomics firm 23andMe said she would consider selling the business. This means the DNA of its 15 million customers could also be up for grabs.
‘A saleable asset’
Shares in 23andMe are “worth pennies”, said NPR last Thursday. Its valuation has “plummeted 99% from its $6 billion peak shortly after the company went public in 2021”. And its revenue for the first quarter of the 2025 fiscal year came to $40 million, about 34% down on the same period the year before.
Seven board members resigned, expressing weariness with the company’s direction, and chief executive Anne Wojcicki, who owns 49% of the voting stock, said she would take the company private.
The business isn’t bound by the US health privacy law like a GPs’ practice, said The Atlantic, and its privacy policies “make clear that in the event of a merger or an acquisition, customer information is a saleable asset”.
Trolling genomes
Potential buyers “may have very different ideas about how to use the company’s DNA data to raise the company’s bottom line”, said The Atlantic. For example, parties that “might take an obvious interest in the secrets of Americans’ genomes” include insurers, who “would probably like to know about any genetic predispositions that might make you more expensive to them”.
Information about your ethnicity “can also be sensitive”, and that’s encoded in your genome. “Imagine drugmakers trolling your genome” to find out what conditions you’re at risk for and then “targeting you with ads for drugs to treat them”.
Although the company insists that it is committed to customer privacy, people who have submitted tests to discover ancestry lines or for healthcare research can “potentially leave their information vulnerable to threat actors”, said The New York Times.
Genome structures are “complex”, and “the path to unearthing sensitive information from them” is still “far from simple”. Although “superficially, there might be a comforting aspect to that”, Mark Gerstein, a professor at Yale University, told the paper, it is difficult to predict what people might be able to glean in the future.
Time to delete?
This is not the first time that questions over privacy have cast a shadow over the company. In a data breach last December hackers gained access to the personal information of nearly 7 million profiles by recycling old passwords that 23andMe customers had used on other sites that had been compromised.
The company admitted that by accessing those accounts, hackers were then able to find their way into “a significant number of files containing profile information about other users’ ancestry”. So “if you ever used 23andMe”, you “might want to consider deleting your data while you still can”, said PC Mag.
The company, said Venture Beat, has become a “cautionary tale” of how there are “immediate and lasting impacts” for any organisation that ignores the importance of cybersecurity.