Genetic data in the balance

What happens to your most personal data — data that details your family tree, genetic makeup and health history — when a company that houses that data fails?

For millions of Americans who shared their DNA with 23andMe, that question became reality when the company filed for bankruptcy — revealing critical gaps in how genetic data is governed.

At a recent event hosted by Arizona State University's Consortium for Science, Policy & Outcomes at the Barrett & O’Connor Center in Washington, D.C., that question took center stage as Gene Fishel, counsel at Troutman Pepper Locke and former senior assistant attorney general, examined the fallout — and what it means for policymakers.

“The 23andMe case … has sent shock waves through the legal community, the tech community, the biotech community,” Fishel said.

Unlike other personal information, genetic data carries risks that extend far beyond the individual.

“This is data that’s immutable. It can’t be changed, and it also can’t be de-identified,” Fishel said. “Your genetic makeup is always going to be your genetic makeup.”

That permanence creates a cascading set of concerns. Genetic data not only identifies individuals, but also their relatives — often without their consent.

“If you’re submitting your genetic data … you are pulling in everyone else that has that genetic data without their consent,” he added.

At its peak, 23andMe held highly sensitive data including DNA, health indicators and personal identifiers for roughly 14 million users.

The company’s decline accelerated after a 2023 cyberattack exposed millions of accounts through credential stuffing, essentially exploiting reused passwords.

“Their failure here is that they did not deploy multi-factor authentication,” Fishel said. “By 2023, they really should have deployed multi-factor authentication.”

The breach affected about 7 million users, triggering nationwide investigations and lawsuits.

A $30 million class action settlement, combined with declining consumer trust, ultimately pushed the company into bankruptcy. As the bankruptcy unfolded, a new question emerged: Can genetic data be treated like any other asset?

“Genetic data could be sold as a corporate asset,” Fishel said, explaining that the bankruptcy code currently does not contemplate genetic data.

That gap prompted intervention from state attorneys general, who sought to limit the transfer of consumer data without consent. Ultimately, regulators secured conditions on the sale, including stronger privacy protections and continued consumer control over data.

The case exposed broader weaknesses in U.S. data governance. “There is very much a patchwork with these privacy laws,” Fishel said, pointing to varying state laws and limited federal oversight, including how the Health Insurance Portability and Accountability Act does not apply to direct-to-consumer genetic testing companies. This, explained Fishel, reflects “one of the big gaps in federal law.”

Many existing laws also fail to address what happens when a company holding sensitive data shuts down. In response, policymakers are beginning to consider new safeguards, including stronger security requirements, clearer consent policies, and rules governing data transfers during bankruptcy.

Fishel also stressed the need for data wind-down plans — or the requirement of data deletion — if a company ceases operations.

But even with those potential wind-down plans, emerging technologies like artificial intelligence may further complicate the landscape. Fishel explained that AI creates new attack vectors that make it easier to gain access to personal information.

Genetic data has the potential to drive advances in health and science — but also raises profound privacy risks. For policymakers, the challenge is clear: balancing consumer protection without stifling innovation.