Why 23andMe is Facing a Fine Amid Data Breach & Bankruptcy
The consumer genetic testing industry expanded rapidly through the 2010s, leading 23andMe, the DNA testing company, to become one of the global pioneers in direct-to-consumer genetic testing.
With competitors such as Ancestry.com, 23andMe offered genealogical DNA testing services, capturing public imagination with promises of revealing ancestral origins and potential health predispositions through simple saliva-based testing kits.
The company has processed DNA samples from more than 12 million customers worldwide, building one of the largest private genetic databases in existence.
However, the company is now facing challenges from a recent Chapter 11 bankruptcy filing to an investigation about a data breach in 2023.
The Information Commissioner's Office (ICO) has issued 23andMe with provisional findings and a notice of intent to fine the firm US$5.93m following a joint investigation with Canadian authorities into a significant data breach.
The investigation amid growth and challenges in consumer genetic testing market
The case highlights the complex interplay between innovative health technology, consumer privacy and regulatory frameworks designed to protect sensitive personal information.
The direct-to-consumer genetic testing industry has faced mounting challenges in recent years β as market saturation, increased regulatory scrutiny and growing public awareness of privacy concerns have constrained growth.
The business model, which initially relied on one-time purchases of testing kits, has also struggled to create sustainable revenue streams beyond initial testing.
Additionally, privacy advocates have long warned about the potential risks of centralised genetic databases in commercial hands β as genetic data, unlike other forms of personal information, is permanent and uniquely identifying, potentially revealing information about health risks, family relationships and ancestry that individuals might prefer to keep private.
As a result, the investigation against 23andMe centres on a security incident first reported in October 2023, where unauthorised access to genetic information occurred.
Stephen Bonner, ICO Deputy Commissioner - Regulatory Supervision, says: “Genetic information is among the most sensitive personal data that a person can entrust to a company and organisations handling such data are required to uphold a very high standard of security and governance in accordance with the UK GDPR,” (General Data Protection Regulation).
ICO and Canadian Privacy Commissioner continue investigation despite 23andMe chapter 11 filing
The breach investigation has been conducted jointly with the Office of the Privacy Commissioner of Canada since late 2023 – and the ICO has now moved to a formal stage with preliminary enforcement actions against the company.
“Earlier this month, we issued 23andMe with our provisional findings, a notice of intent to fine US$5.93m and a preliminary enforcement notice,” Stephen explained.
“We would stress these findings are provisional and as with all preliminary findings, are subject to representations from 23andMe including in relation to affordability considerations.”
The fine, if finalised, would be a substantial penalty for violations related to data protection under UK GDPR (General Data Protection Regulation) – the comprehensive privacy legislation that governs how organisations must protect personal information of UK citizens.
The legislation imposes strict requirements on companies that process sensitive data, with genetic information classified at the highest tier of protection.
23andMe bankruptcy filing
The regulatory action comes at a challenging time for 23andMe, as the company has now entered bankruptcy proceedings in its home market.
The Chapter 11 filing, a form of bankruptcy in the US that allows a company to reorganise its debts while continuing operations, is intended to facilitate a sale process according to the ICO statement.
Despite these financial developments, the ICO has made clear that the company's obligations to protect customer data remain unchanged.
The regulator confirmed it is monitoring the situation but emphasised that bankruptcy proceedings do not alter compliance requirements.
“We are aware that 23andMe has filed for Chapter 11 bankruptcy in the US to facilitate a sale process. We are monitoring the situation closely and are in contact with the company,” Stephen says.
βAs a matter of UK law, the protections and restrictions of the UK GDPR continue to apply and 23andMe remains under an obligation to protect the personal information of its customers.β
Raised questions about customer data protection
More pressingly, the breach raises concerns about the security of genetic data held by private companies.
Consumer genetic testing has grown into a substantial market over the past decade, with millions of people submitting DNA samples to learn about their ancestry, health predispositions and other genetic traits.
This information, once digitised and stored, creates databases of highly personal and immutable information that require robust security protocols.
Industry experts note that genetic data presents unique privacy challenges as it cannot be changed like passwords or credit card numbers following a breach.
The data contains information not just about the individual but potentially about biological relatives as well, amplifying the privacy implications.
Therefore, questions remain about how customer data will be handled in the event of a sale through the bankruptcy process, though regulatory authorities in multiple jurisdictions appear determined to maintain protection standards regardless of corporate restructuring.
Stephen says: βThe ICO will carefully consider any representations made before taking a final decision.β
Explore the latest edition of Technology Magazine and be part of the conversation at our global conference series, Tech & AI LIVE.
Discover all our upcoming events and secure your tickets today.
Technology Magazine is a BizClik brand