23andMe once promised to make genetic discovery accessible to everyone, but their plans probably didn’t include making everyone’s genetic data accessible in return.
Millions of people across the world submitted their saliva to learn about their ancestry, health risks, and long-lost relatives. However, within a few years, the California-based biotech firm went from one of Silicon Valley’s most celebrated startups to a cautionary case of data misuse, broken trust, and legal backlash.
After a major data breach affected nearly 7 million users, class-action lawsuits and regulatory fines followed. The company filed for bankruptcy in March 2025 and was sold to a nonprofit controlled by its co-founder.
Public concern over how personal DNA can be used or sold has only grown, especially as genetic data remains difficult to fully delete or control.
Popular ancestry service with health promises, research ambitions
Founded in 2006, 23andMe allowed users to send in saliva kits and receive reports on ancestry breakdown, DNA relatives, and health traits.
The company gained worldwide popularity for its user-friendly kits and the promise of personal genetic insight.
By 2021, 23andMe had gone public with a $6 billion valuation and counted over 15 million users, with 80% of them agreeing to let their genetic data be used for research. High-profile figures, including Oprah Winfrey and Snoop Dogg, publicly endorsed the service.
But as the company expanded from ancestry into health-risk predictions and drug development, criticism mounted.
In 2013, the U.S. Food and Drug Administration (FDA) forced 23andMe to stop offering medical risk assessments, citing concerns about accuracy and misleading claims. After a four-year suspension, the firm regained limited approval to share risk data for 10 conditions, eventually expanding the list to 50.
Experts warned the medical reports could give false reassurance or cause unnecessary panic. “Their product was always very limited in what it could tell you about tendencies to disease,” Anneke Lucassen, a clinical geneticist at the University of Oxford told Nature.
23andMe data breach exposed genetic info of 6.9M users
In October 2023, 23andMe confirmed a large-scale security breach after hackers accessed personal and genetic data through reused passwords, a method known as “credential stuffing.”
What was exposed:
About 14,000 accounts were directly breachedDue to a feature called “DNA Relatives,” data from 6.9 million users was indirectly exposedData included names, birth years, locations, family tree links, genetic ancestry, and health traitsCurated lists were created for Ashkenazi Jewish and Chinese users and offered for sale onlineHackers sold files for as little as $1–$10 per account
The company initially blamed users for not updating their passwords. A statement to regulators said: “The incident was not a result of 23andMe’s failure to maintain reasonable security measures.”
The backlash was immediate. Eli Wade-Scott, an attorney representing victims, said the monthslong breach showed “a total failure to monitor systems that handle highly sensitive data.”
In June 2025, the U.K.’s Information Commissioner’s Office fined 23andMe over $3 million for poor security practices and slow breach response. Canadian authorities joined the investigation.
Regulators concluded that 23andMe had ignored repeated warnings, failed to implement two-factor authentication, and lacked adequate breach protocols.
Layoffs, lawsuits, board resignations mark 23andMe’s decline
By late 2023, 23andMe had begun cutting staff and shutting down its drug development pipeline. In November, the company laid off 40% of its workforce and halted all ongoing clinical trials.
A month earlier, all independent board members had resigned. In a public letter, they criticized CEO Anne Wojcicki for failing to present a “fully financed, actionable proposal” to take the company private. Her offer of $0.40 per share was rejected.
The company’s valuation collapsed, with the share price falling to as low as $0.30, and its cash reserves were rapidly depleting after the board members’ resignations. In March 2025, 23andMe filed for Chapter 11 bankruptcy protection.
Lawsuits followed across multiple states:
Plaintiffs accused the company of negligence and invasion of privacyMany Jewish and Chinese users were not informed that they had been targetedSeveral lawsuits alleged 23andMe had “lied about the scope and severity of the breach”Attorneys general from New York, California, and other ostates pened investigations into security practices
Lawyers said curated ethnic datasets could be exploited by state actors or extremist groups.
“This is a total paradigm shift when it comes to the implications of a data breach,” said attorney Jay Edelson. “You have extremist groups calling for the death of Jews throughout the world, so it’s hard to see how the stakes could be higher,” he added.
Regeneron tried to buy 23andMe, but public pressure blocked sale
In May 2025, Regeneron Pharmaceuticals won an auction to acquire 23andMe for $256 million. The announcement sparked concern from privacy experts and regulators.
Attorneys general from more than 20 U.S. states sued to block the deal, arguing that DNA data should not be treated like typical corporate assets during bankruptcy.
“I think historically there is a concern amongst the Jewish community for people knowing who we are, where we live, and our genealogy,” said Kyle, a former customer who spoke to NPR. “If that information gets into the wrong hands, it’s very dangerous.”
Public advocacy groups urged customers to delete their genetic data from 23andMe’s database. The company had said it would abide by existing privacy policies, but those terms included language allowing the sale or transfer of personal data in case of bankruptcy or acquisition.
Former CEO buys back 23andMe through nonprofit
In June 2025, Anne Wojcicki returned with a competing bid through a nonprofit entity she created called TTAM Research Institute.
With $305 million in backing, she outbid Regeneron and regained control of 23andMe.
What the nonprofit promised:
Uphold the original privacy policy and consent structureAllow users to delete their data and biological samples at willContinue using data for medical research, but notfor commercial purposesComply with data protection laws and introduce additional oversight
A U.S. bankruptcy judge approved the sale, calling it a better outcome than transferring the database to a pharmaceutical firm. However, five states—including California, Kentucky, and Utah—remained opposed.
While TTAM now controls the company, not all privacy experts are reassured. “Once genetic data is incorporated into research or shared externally, there’s no meaningful way to retrieve or erase it,” said Boston College Law Asst. Professor Shelly Simana.
Can 23andMe users delete all data as urged?
After the bankruptcy filing, officials in New York and California encouraged users to delete their accounts.
But data experts warned that deleting a profile does not mean all DNA data disappears.
How to delete your data from 23andMe:
Log in to your accountGo to “Settings”Click “23andMe Data” → “View”Select “Permanently Delete Data”Submit a request to destroy any biological samples
Even after deletion, data previously shared in anonymized form or used in research studies is not fully recoverable. The U.S. lacks federal data privacy laws specific to consumer DNA. Companies like 23andMe are not regulated under HIPAA, the law governing medical data.
“My hope is that the issues that this case raises and the attention that it’s gotten will, in tur,n spur some meaningful thought about data privacy protections, and those protections in a bankruptcy,” said Laura Coordes, a bankruptcy law expert at Arizona State University.
The story of 23andMe ultimately provides a peek at what can go wrong when personal genetic information is handled without strict oversight. What started as a fun ancestry tool ended in lawsuits, breaches, and fears of targeted surveillance. The story’s ending remains to be seen.
August 07, 2025 08:02 PM GMT+03:00