Whatâs next for 23andMe? Most people know the biotech company as a genetic testing service. Stories of people sending their cheek swabs off in the mail only to discover that a parent who raised them wasnât their biological one have become a kind of millennial horror genre. Of course, most 23andMe experiences arenât that dramatic: the company says over 14 million people have used the service in hopes of learning more about their ancestry.
But this month, 23andMe revealed it is facing major financial troubles, and more information came to light about a devastating security breach at the company last year. Now, customers might be wondering: can they trust 23andMe with their DNA?
The DNA âbait-and-switchâ
Last week, 23andMe reported dismal third-quarter fiscal results, tanking stocks in the company, CNBC reported. Its financial woes come down to a longevity problem: the companyâs most famous offering, the DNA ancestry test, is a one-and-done deal. After taking the test, thereâs no reason for consumers to keep spending money on 23andMe, which has led to a plateau of sorts.
Nevertheless, the companyâs CEO, Anne Wojcicki, told Wired she remains âoptimisticâ about 23andMeâs future.
At-home DNA tests are so ubiquitous that you can order one for a dog. 23andMe was the first company to offer the (human) service, back in 2007, and now an estimated one in five Americans have tried at-home genetic testing. Some customers were handing over personal data that Wojcicki and co used for purposes other than family reunions.
From 2018 to 2023, 23andMe partnered with the pharmaceutical giant GlaxoSmithKline, using customersâ genetic information to help develop drug targets. (A drug target is a molecule that plays a role in a disease; researchers use them to develop therapies for certain diseases.) This year, the partnership became non-exclusive, which means 23andMe can strike deals with more pharmaceutical companies to milk more money out of its DNA trove.
âItâs a real resource that we could apply to a number of different organizations for their own drug discovery,â Wojcicki said, adding that 23andMe was interested in studying inflammation immunology, particularly asthma.
23andMe already has two cancer drugs undergoing drug trials; those drugs came from usersâ genetic data. But 23andMe users may not understand that the spit they gave the company months or years ago is being used to make more money.
As the health reporter Kristen V Brown wrote for Bloomberg in 2021: âIt wouldnât be crazy for the 8.8 million 23andMe customers who once absently checked a box saying, yeah, sure, use my data for whatever, to feel like theyâve been bait-and-switched now that their genes are laying the groundwork for potential cancer cures.â (Since 2021, the number of customers who have checked that box has risen to 10 million, per Wired.)
Customers can revoke consent
Americans tend to believe that their health data is covered by Hipaa, the health privacy law â surely 23andMe, with its official-looking cheek swabs and far-off labs, must be too. But 23andMe isnât a healthcare provider. The same rules do not apply.
âThere are no serious safeguards, no regulation around the collection and sale of really sensitive personal data,â said Suzanne Bernstein, a law fellow at the Electronic Privacy Information Center. âFor 23andMe, the nefarious [data] breach constitutes a security issue, but so does the company sharing your information with a party that you didnât know about. Customers may technically consent to their data being shared by accepting the terms and conditions, but those are really long and a lot of people donât read them.â
Some people might find it honorable that their genes are being used for cancer research. Others might feel ripped off: they paid about $229 for a DNA testing kit, but 23andMe is using their health data for free. Thorin Klosowski, a security and privacy activist at the Electronic Frontier Foundation, says 23andMe could do more to ensure that customers better understand this dynamic before they opt in.
âThe amount of people who are surprised by how much data goes elsewhere is a sign that 23andMe isnât explaining things very clearly,â he said.
Klosowski added that while users can opt out of their data being used by 23andMe long after theyâve sent away their DNA swab, their information may have already been used for research purposes. âYou can ask 23andMe to stop using your information, but you canât ask for data to be removed from a list once itâs been sold off,â he said.
For its part, 23andMe maintains that users are asked to opt in to research at point of purchase, and all personal data is stripped of identifying information before itâs shipped off for analysis. Data isnât used without this consent, and consent can be revoked. The companyâs research wing is also overseen by an âindependent, impartialâ review board. (23andMe did not respond to a request for comment.)
Data breach leads to class action suit
23andMeâs security breach is still at the forefront of many customersâ minds, too. Last year, nearly seven million customer profiles were hacked. Over the course of five months, hackers were able to access health records, including carrier-status reports, as well as personal information from up to 5.5 million people who opted in to one of 23andMeâs best-known features: the chance to find relatives.
Customers with Chinese and Ashkenazi Jewish heritage appeared to have been targeted in the breach and their information sold on the dark web, the New York Times reported. Some of those users recently filed a class-action suit against the company, saying 23andMe had failed to notify them about the exposure.
As the Guardian reported on Thursday, 23andMe downplayed its responsibility for the hack in a letter to customers, arguing the health information accessed âcannot be used for any harmâ. It also blamed customers who ânegligently recycled and failed to update their passwordsâ â a response that one former customer criticized as âmorally and politically very dumbâ.
Wojcicki didnât speak directly about the leak due to pending litigation, but she told Wired that 23andMe had introduced two-factor authentication and made customers reset their passwords. âData privacy and security has always been a really high priority and remains a high priority for the company and something that we are going to invest even more into,â she said.
Are 23andMeâs security issues the death knell for a company that Time once hailed as the âinvention of the yearâ? Whether or not customersâ privacy concerns are well founded, the companyâs financial fall has been swift, and CNN reports it could be delisted from Nasdaq if its stock price doesnât go up.
Dominic Sellitto, a clinical assistant professor at the University of Buffalo who focuses on digital privacy, believes that if 23andMe survives the year, it will be due to data mining. âThereâs a lot of demand and money for data, especially quality healthcare data,â he said. âIf 23andMe continues to monetize that, it will be their golden ticket in 2024.â
