23andMe files for bankruptcy, customers advised to delete DNA data

​California-based genetic testing provider 23andMe has filed for Chapter 11 bankruptcy and plans to sell its assets following years of financial struggles.

23andMe has been providing direct-to-consumer DNA testing services since November 2007 to customers who send a saliva sample and receive a report on their ancestry and genetic predispositions. Since then, 23andMe has sold over 15 million DNA testing kits.

The company said in a Sunday press release that it will not change how it stores, manages, or protects customer data.

In a Monday filing with the U.S. Securities and Exchange Commission (SEC), it also “filed a motion seeking authorization to pursue a structured sale of their assets pursuant to a competitive auction and sale process,” after rejecting a takeover bid from the CEO and co-founder Anne Wojcicki, who has since resigned to enter the sales process as an “independent bidder.”

“In addition, we are committed to continuing to safeguard customer data and being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction,” said Mark Jensen, 23andMe Chair of the Board of Directors.

With the company’s assets now up for sale to the highest bidder, privacy experts fear that all the amassed DNA data could fall into the wrong hands, potentially exposing 23andMe customers’ genetic information despite the company’s assurances that this won’t happen.

The Office of California’s Attorney General also reacted to the news and issued a consumer alert advising 23andMe customers to ask the company to delete their data, destroy their test samples, and revoke permission for their data to be used for research.

This alert also provides detailed steps on how to file these requests, including logging into your account, going into Settings, clicking ‘View’ next to “23andMe Data” (here you also have the option to download your data first), scrolling to “Delete Data,” and clicking “Permanently Delete Data.” Next, you must click the link in the confirmation email that you’ll receive 23andMe.

Today, the United Kingdom’s Information Commissioner’s Office also said that genetic information is among the most sensitive personal data individuals share and warned that companies handling this data must follow strict security and governance standards under GDPR.

“We are aware that 23andMe has filed for Chapter 11 bankruptcy in the US to facilitate a sale process. We are monitoring the situation closely and are in contact with the company,” said ICO Deputy Commissioner Stephen Bonner.

“As a matter of UK law, the protections and restrictions of the UK GDPR continue to apply and 23andMe remains under an obligation to protect the personal information of its customers.”

In September 2024, 23andMe agreed to pay $30 million to settle a lawsuit over a data breach that had exposed the data of 6.4 million customers in 2023. In January 2024, the company also confirmed that the attackers stole health reports and raw genotype data during five months of credential-stuffing attacks.

This 2023 data breach led to multiple class-action lawsuits, which prompted 23andMe—in a move widely criticized by customers—to amend its Terms of Use in November 2023 to make it harder to sue the company. However, 23andMe claimed that the changes aimed to simplify the arbitration process.