Fear for Jewish genetic data as 23andMe goes up for sale

The fallout was swift. A class-action lawsuit accused 23andMe of failing to properly notify affected users of the breach. In September last year, the biotech firm settled for $30 million, but its valuation of $6 billion (at its 2021 peak) plummeted and never recovered.

Last Sunday, 23andMe declared bankruptcy. Now its prized asset – the genetic data of 15 million people – is up for sale, a process which comes with risks of its own.

Privacy experts have already urged customers to delete their profiles while they still can. By Monday, so many users tried to do so that the site crashed.

There are concerns about what will happen to the sensitive information of more than 15 million users who have accessed 23andMe (Photo: Getty)Getty Images

When 23andMe launched in 2017, it was at the forefront of the commercially available genetic testing boom, offering customers the chance to uncover family secrets, explore their ancestry, and gain insight into potential health conditions.

For some Jewish users, particularly those with families fractured by the Shoah, it offered the possibility of reconnecting with long-lost relatives. All for just £99.

But the 2023 breach exposed a more unsettling reality: what happens when highly personal genetic data falls into the wrong hands? As 23andMe’s assets are put up for sale, Jewish customers are left wondering who will end up owning their DNA – and what happens when that data is lost.

Data privacy expert Suzanne Bernstein, of the nonprofit Electronic Privacy Information Centre, told the JC that customers now face “little to no protection for their data as 23andMe heads into bankruptcy”. While the company insists that it has “de-identified” its data, Berstein pointed to its “poor track record of data security” as a cause for concern among users.

“23andMe claims the data has been de-identified, but there is a lack of trust with this company,” she said. And while the data is anonymised, she added: “It is unclear how identifiable people are from their data.”

“It is becoming increasingly easier to reidentify data sets – machine learning systems and other analytical tools can combine data sets to reveal personal information. Genetic data is highly sensitive and immutable.

"It’s one thing to change a phone number or social security number after an identity hack, but your genetic data cannot be replaced.”

Bernstein also noted that while the UK and EU’s General Data Protection Regulation laws (GDPR) offer robust protections, data privacy in the US (where 23andMe is based) varies by state.

In California, for instance, companies risk lawsuits for sharing data without consent, whereas other states customers have far fewer safeguards. Regulations also differ for companies categorised as medical versus commercial – 23andMe is commercial.

Suzanne Bernstein, from the Electronic Privacy Information Centre: "The scale of how much highly sensitive data 23andMe has is unique" (Photo: EPIC)[Missing Credit]

Bernstein also suspects that health insurance companies will be keen to access 23andMe’s data sets, claiming that this could risk changing insurance premiums for different ethnicities.

“There is a regulation in the US that prohibits discrimination based on genetic information in health insurance and employment contracts,” Bernstein explained. “Yet there are loopholes – insurers have been reported to use data purchased from brokers to set prices based on lifestyle information, potentially impacting rates.”

The data could also be a gold mine for artificial intelligence (AI) firms that have the financial means to acquire it.

Data from 23andMe could easily feed into a broader commercial ecosystem that tracks online behaviour, combining health information with purchasing history, social media activity, and location data to create detailed consumer profiles.

“Any kind of health information can make a consumer profile more robust. The most immediate impact on consumers is enhanced profiling,” Bernstein continued.

While the threat of nefarious actors acquiring a list specifically of Jews may seem less imminent, she warned that, once the data is out there, “nothing stops them from purchasing this information.”

And with the 2023 hack fresh in the minds of many, she understands if there are fears in the community. Even if someone has not done a 23andMe test, purely because of the size of the community, it is likely that at least some of their genetic data exists on the platform.

"If folks still have accounts, I would encourage them while they can to logon and request to delete their information. Users have the ability to download certain aspects of their account before they do this,” Bernstein concluded.

Once the company is sold, users may no longer be able to delete their profiles.

However, not everyone shares Bernstein’s concern. Adam Rose, commercial and data protection partner at Mishcon de Reya, acknowledged that, when you share your data with a third party, “there is always a risk that it does get exploited in ways that you have not anticipated. When a company goes bust, someone might go and buy those assets.”

Yet Rose noted that UK law provides a “level of protection” regarding how such data can be used, and remained sceptical about whether deleting data truly eradicates it.

“If people are anxious and want to delete their profiles, then that is what they should do. But it is very hard to delete data. Whether deleting their data fully removes it – or if it just vanishes from the front end while lingering in the back office – I don’t know,” he told the JC.

Despite these concerns, Rose, who discovered long-lost family connections through 23andMe, was quick to highlight the benefits of genetic testing – especially for families affected by the Holocaust. “There is quite a demand for this technology in the Jewish community. The more data that remains, the more useful it will be for the Jewish community. It’s a network effect – the more who take part, the more valuable the service is.”

When the data is sold, Rose hopes that future buyers will “be inclined to expand the service rather than compromise it”.

And it appears the moment is fast approaching – on Thursday, 23andMe shares rebounded by more than 60 per cent after a US judge confirmed that the company is permitted to begin the process of selling its customers' data.

A spokesman for 23andMe told the JC: “There are no changes to the way the company stores, manages, or protects customer data.

“Any buyer will be required to comply with applicable law with respect to the treatment of customer data and any transaction will be subject to customary regulatory approvals, including, as applicable, approvals under the Hart-Scott-Rodino Act and the Committee on Foreign Investment in the United States.

"23ndMe remains committed to our customers' privacy and our strong customer privacy protections remain in place. 23andMe does not share customer data with third parties without a customer’s consent, and our Research program is opt-in, requiring customers to provide separate informed consent before joining. Further, 23andMe Research is overseen by an outside Institutional Review Board, ensuring we meet high ethical standards for the research we conduct.

“In addition to our own strict privacy and security protocols, 23andMe complies with state and federal consumer privacy and genetic privacy laws to protect our customers’ genetic data. We are committed to protecting customer data and are consistently focused on maintaining the privacy of our customers. 

“23andMe customers always have the option to delete their account at any time, and once the request is confirmed we will immediately and automatically begin the deletion process. Deleting an account and associated data will permanently delete the data associated with all profiles within the account. If you asked us to store your genetic samples, they will be discarded. If you opted in to 23andMe Research, your personal information will no longer be used in any future research projects. Data cannot be removed from research that’s already been conducted.”