What is next for 23andMe? Most people know the biotech company as a genetic testing service. Stories of people sending off their cheek swabs in the mail only to discover that a parent who raised them was not their biological one has become a kind of millennial horror genre. Of course, most 23andMe experiences aren’t that dramatic: the company says more than 14 million people have used the service in hopes of learning more about their ancestry.
But this month 23andMe revealed it was facing major financial problems, and more information emerged about a devastating security breach last year with the company. Now customers may be wondering: can they trust 23andMe with their DNA?
The DNA ‘bait and switch’
Last week, 23andMe reported dismal fiscal third-quarter results, sending shares in the company soaring. CNBC reports. Its financial woes boil down to a longevity problem: The company’s best-known offering, the DNA ancestry test, is a one-and-done deal. After taking the test, there is no reason for consumers to continue spending money on 23andMe, leading to a plateau of sorts.
Nevertheless, said the company’s CEO, Anne Wojcicki Wired she remains “optimistic” about 23andMe’s future.
At-home DNA tests are so ubiquitous that you can order one for a dog. 23andMe was the first company to offer the (human) service back in 2007, and now an estimated one in five Americans tried home genetic testing. Some clients handed over personal data that Wojcicki and co used for purposes other than family reunifications.
From 2018 to 2023, 23andMe partnered with pharmaceutical giant GlaxoSmithKline and used customers’ genetic information to develop drug targets. (A drug target is a molecule that plays a role in a disease; researchers use it to develop therapies for certain diseases.) This year, the partnership became non-exclusive, meaning 23andMe can enter into agreements with more pharmaceutical companies to milk more money from his DNA trump card.
“This is a real resource that we can apply to a number of different organizations for their own drug discovery,” Wojcicki said, adding that 23andMe is interested in studying inflammation immunology, especially asthma.
23andMe already has two cancer drugs undergoing drug trials; those drugs came from users’ genetic data. But 23andMe users may not understand that the spit they gave the company months or years ago is being used to make more money.
Like health reporter Kristen V Brown wrote to Bloomberg in 2021: “It wouldn’t be crazy for the 8.8 million 23andMe customers who once absent-mindedly checked a box that said, yes, sure, use my data for whatever, to feel like they’re being baited -and-linked now that their genes lay the foundation for potential cancer cures.” (As of 2021, the number of customers who have checked that box has risen to 10 million, per Wired.)
Customers can revoke consent
Americans tend to believe their health data is covered by Hipaa, the health privacy law — surely 23andMe, with its official appearance of cheek swabs and far-flung labs, should be too. But 23andMe is not a healthcare provider. Same rules do not apply.
“There are no serious safeguards, no regulation around the collection and sale of really sensitive personal data,” said Suzanne Bernstein, a legal fellow at the Electronic Privacy Information Center. “For 23andMe, the ominous [data] breach poses a security issue, but so does the company sharing your information with a party you didn’t know about. Customers can technically consent to their data being shared by accepting the terms and conditions, but it’s very long and many people don’t read it.”
Some people may find it honorable to have their genes used for cancer research. Others may feel ripped off: They paid about $229 for a DNA test kit, but 23andMe uses their health data for free. Thorin Klosowski, a security and privacy activist at the Electronic Frontier Foundation, says 23andMe could do more to ensure customers better understand this dynamic before signing up.
“The amount of people who are surprised by how much data is going elsewhere is a sign that 23andMe is not explaining things very clearly,” he said.
Klosowski added that while users can opt out of having their data used by 23andMe long after they send their DNA swab away, their information may already have been used for research purposes. “You can ask 23andMe to stop using your information, but you can’t ask for data to be removed from a list once it’s sold,” he said.
In turn, 23andMe maintain that users are asked to opt-in to research upon purchase, and all personal data is stripped of identifying information before being sent for analysis. Data is not used without this consent, and consent can be revoked. The company’s research wing is also governed by an “independent, impartial” review board. (23andMe did not respond to a request for comment.)
Data breach leads to class action lawsuit
23andMe’s security breach is also still at the forefront of many customers’ minds. Last year, almost seven million customer profiles were hacked. Over the course of five months, hackers were able to access health records, including carrier status reports, as well as personal information of up to 5.5 million people who had agreed to one of 23andMe’s best-known features: the chance to find family members.
Customers of Chinese and Ashkenazi Jewish heritage appear to have been targeted in the breach and their information sold on the dark web, the New York Times reported. reported. Some of those users recently filed a class-action lawsuit against the company, saying 23andMe failed to notify them about the exposure.
As the Guardian reported In a letter to customers on Thursday, 23andMe downplayed its responsibility for the hack, arguing the health information accessed “cannot be used for any harm.” It also blamed customers who “negligently recycled and failed to update their passwords” – a response one former customer criticized as “morally and politically very stupid”.
Wojcicki did not speak directly about the leak due to pending litigation, but she told Wired that 23andMe had implemented two-factor authentication and had customers reset their passwords. “Data privacy and security has always been and remains a very high priority for the company and something we will continue to invest in,” she said.
Is 23andMe’s security the death knell for a company Time once labeled the “invention of the year“? Whether or not customers’ privacy concerns are well-founded, the company’s financial decline has been swift, and CNN reports it may be delisted from Nasdaq if its share price does not rise.
Dominic Sellitto, a clinical assistant professor at the University of Buffalo who focuses on digital privacy, believes that if 23andMe survives the year, it will be because of data mining. “There is a lot of demand and money for data, especially quality healthcare data,” he said. “If 23andMe continues to earn this, it will be their golden ticket in 2024.”
