Consumer DNA testing services like 23andMe and AncestryDNA have been used by tens of millions of people to explore their ancestry and health traits. But the 23andMe data breach and subsequent bankruptcy in 2025 exposed a troubling reality: your genetic data may be far less protected than you think. Unlike a leaked password, you can't change your DNA. Here's what you need to know about the privacy risks of genetic testing and how to protect yourself.
The 23andMe Wake-Up Call
In October 2023, 23andMe disclosed a data breach that affected 6.9 million users — nearly half its customer base. The breach, which started through credential stuffing attacks, exposed sensitive information including ethnicity estimates, geographic locations, birth years, and family tree data. But the fallout didn't stop there.
In March 2025, 23andMe filed for Chapter 11 bankruptcy. The company — along with the genetic data of more than 15 million users — was sold to TTAM Research Institute for $305 million. This sale raised immediate concerns from privacy advocates and regulators about what would happen to this deeply personal data under new ownership.
Your DNA Data Is Permanent
A leaked password can be changed. A compromised credit card can be replaced. But your DNA is permanent and immutable. Once genetic data is exposed, the privacy implications last a lifetime — and extend to your biological relatives, even those who never took a DNA test.
What Data Do DNA Testing Companies Collect?
When you send a saliva sample to a consumer DNA testing service, you're sharing far more than you might realize:
- Raw genetic data — your complete genotyped DNA sequence, which can reveal health predispositions, ancestry, and biological relationships
- Health information — data about genetic health risks, carrier status, and wellness traits
- Family connections — information about relatives who have also tested, including those you may not know about
- Personal details — name, email, date of birth, geographic location, and health questionnaire responses
- Behavioral data — how you use the platform, what features you access, and what you search for
Key Privacy Risks
1. Data Breaches and Hacks
DNA testing companies are high-value targets for hackers. The 23andMe breach proved that even major companies can fail to protect genetic data. Unlike other personal data, genetic information can be used for genetic discrimination, blackmail, or targeted scams long after the initial breach.
2. Data Sales and Third-Party Sharing
Many DNA testing companies share or sell anonymized (or supposedly anonymized) genetic data to pharmaceutical companies, research institutions, and other third parties. 23andMe had partnerships with GlaxoSmithKline and other drug companies to use customer data for drug development research. When a company changes ownership — as happened with 23andMe's bankruptcy — the rules governing your data can change too.
3. Weak Legal Protections
Consumer DNA testing companies are not covered by HIPAA because they are not healthcare providers. This means your genetic data doesn't receive the same legal protections as medical records. While GINA (the Genetic Information Nondiscrimination Act) prevents genetic discrimination in health insurance and employment, it has significant gaps:
- GINA does not cover life insurance, disability insurance, or long-term care insurance
- GINA does not apply to employers with fewer than 15 employees
- GINA does not prevent data sharing with third parties like drug companies
- State laws vary widely in their genetic privacy protections
4. Law Enforcement Access
Law enforcement agencies have increasingly used genetic databases to solve crimes through a technique called genetic genealogy. While most DNA testing companies have policies restricting law enforcement access, these policies can change, and some public databases (like GEDmatch) are openly accessible to investigators. Your DNA data could be used to identify you — or your relatives — in criminal investigations, even without your consent.
5. Re-identification Risks
Even "anonymized" genetic data can potentially be re-identified. Research has shown that as few as 30-60 genetic markers can uniquely identify an individual. Combined with other publicly available information, supposedly anonymous genetic data can be traced back to specific people.
How to Protect Your Genetic Privacy
Before You Test
- Read the privacy policy carefully — understand how your data will be stored, shared, and used
- Check the company's data breach history — has the company experienced breaches before?
- Understand your consent options — can you opt out of research programs and third-party sharing?
- Consider whether you really need the test — weigh the benefits of ancestry or health information against the permanent privacy risks
If You've Already Tested
- Request data deletion — most DNA testing companies allow you to delete your account and request destruction of your physical sample. Do this through the company's privacy settings or by contacting their support team.
- Opt out of research programs — withdraw consent for any research or data-sharing programs you may have opted into
- Download your data first — before deleting your account, download a copy of your raw data so you have it for personal reference
- Revoke third-party access — if you uploaded your DNA data to any third-party services (like GEDmatch or Promethease), delete your data from those platforms as well
- Monitor for data breaches — sign up for breach notification services to be alerted if the company experiences a data incident
23andMe Users: Act Now
If you're a 23andMe user, California's Attorney General has specifically urged customers to delete their data and request destruction of their DNA samples following the company's bankruptcy sale. Go to Settings in your 23andMe account, select "23andMe Data," and follow the prompts to delete your account and request sample destruction.
The Bigger Privacy Picture
DNA testing privacy risks are a stark reminder that personal data, once shared, is difficult — sometimes impossible — to take back. The same principle applies to the personal information that data brokers collect and sell about you every day.
While you can't un-share your DNA after it's been compromised, you can take control of the other personal information floating around the internet. PrivacyOn helps by continuously monitoring and removing your personal data from over 100 data broker sites. With dark web monitoring that alerts you when your information appears in breach databases, PrivacyOn helps you stay ahead of the threats that come from exposed personal data.
Genetic privacy may require new laws and stronger regulations to fully protect. In the meantime, minimize your digital footprint, be cautious about what data you share, and use tools like PrivacyOn to control the information that's already out there.