The Privacy Risks Behind At-Home DNA Tests

The data breach and bankruptcy of 23andme is a cautionary tale

It’s easy to see the appeal of genetic testing. With a simple at-home DNA test kit, you can learn all about your personal ancestry, genetic traits, hereditary health issues, and more. Millions of people have already given it a try: The global DNA diagnostics market was estimated at $10.6 billion in 2024, according to Grand View Research.

But just as there are privacy risks any time you give your personal data to an app or website, there are potentially even greater risks involved when you’re dealing with a biotech firm. The information collected by DNA testing companies is as sensitive as it gets—literally, a person’s individual genetic code.

To get an idea of what’s at stake, look no further than the saga of the genetic testing company 23andme. The company offers at-home DNA test kits; customers collect a saliva sample and send it to a lab for an analysis of ancestry, family traits, or potential health issues. In 2023, 23andme suffered a huge data breach affecting 6.9 million customers. Compounded by shrinking demand for its services, the company saw its market value plunge, which ultimately led to its filing for Chapter 11 bankruptcy earlier this year. 23andme received permission from a judge to sell its customer data—by far the most valuable asset for any new buyer.

Recently, the giant pharmaceutical company Regeneron won the bankruptcy action to purchase 23and me and its entire dataset (the deal is pending regulatory approval). While Regeneron has said it intends to honor 23andme’s existing privacy policy, the entire episode underscores privacy concerns around personal data at genetic testing companies. In this case, 23andme customers may soon have their data handed over to a pharmaceutical firm.

What are the privacy and identity risks involved in DNA testing?

While raw DNA data was not stolen as part of the 23andme data breach in 2023, the hack reportedly revealed sensitive personal information about affected users. According to TechCrunch, the stolen data included customers’ “name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location.” This kind of information can be extremely valuable for cybercriminals to buy and sell on the dark web, and could assist in efforts to commit identity theft.

But it doesn’t take a data breach to have your personal information wind up in the hands of a third party. As part of their user agreements, DNA testing firms often gain permission to sell user data to outside organizations such as pharmaceutical companies, which use the data for research purposes. Some may sell or share your genetic data more widely for use in third-party marketing efforts. And if a DNA testing company goes bankrupt and gets put up for sale, there’s no guarantee that the winning bidder will respect the privacy of your data.

It’s important to note that U.S. medical privacy laws don’t apply to genetic testing companies. While health records from physicians’ offices, hospitals, and insurers are in most cases privacy-protected under the Health Insurance Portability and Accountability Act (HIPAA), data collected by private companies—including bioscience-related apps and DNA testing companies—are not. In other words, companies like 23andme are not legally obligated to keep your DNA data confidential.

What should 23andme customers do?

If you’re a 23andme customer, consider deleting your user data if you’d prefer that it not transfer to the company’s new owner. The Electronic Frontier Foundation offers a step-by-step guide on how to do it, including instructions on how to download and save your data prior to deleting it from the site.

The Attorney General of California also urges 23andme customers to request the destruction of their saliva samples and DNA stored by the company; this can be done via your account settings under “Preferences.” Similarly, customers are advised to revoke permission for their genetic data to be used for research purposes; this can be done via account settings under “Research and Product Consents.”

None of this is to say that you should never engage with DNA testing companies. The most reputable ones provide a valuable service that can enrich your family’s life or give you an important early health warning. But before you sign up, carefully review the company’s user agreement and, if possible, deny them permission to share your data with third parties for research or marketing purposes. Your genetic code is truly the most unique thing about you, and it needs to be treated with care.