Unlike a stolen password or credit card number, your DNA cannot be reset. When genetic data is leaked, the consequences are permanent, deeply personal, and extend to your entire family. With the 23andMe bankruptcy putting over 15 million customers' genetic records in limbo, knowing how to respond to a genetic data breach has never been more urgent.
Why Genetic Data Breaches Are Different
Most data breaches expose information you can change — passwords, credit cards, even Social Security numbers in extreme cases. Genetic data is fundamentally different: it is immutable. Your DNA sequence will never change. Once exposed, there is no way to revoke it.
Genetic data also doesn't just belong to you. Because family members share significant portions of their DNA, a single person's leaked profile can reveal health predispositions, ancestry, and biological relationships for parents, siblings, children, and even distant relatives who never consented to testing.
What testing companies typically collect goes well beyond a DNA sequence:
- Raw genotype data — hundreds of thousands of genetic markers
- Health predisposition reports — risk assessments for conditions like Alzheimer's, Parkinson's, and certain cancers
- Carrier status — whether you carry genes for heritable diseases
- Ancestry and ethnicity estimates — detailed ethnic breakdowns and migration histories
- DNA Relatives matches — connections to biological family members, including those you may not know about
- Personal details — name, email, date of birth, location, and family surnames
Major Genetic Data Breaches: What Has Already Happened
The 23andMe Breach (2023)
In October 2023, hackers used credential stuffing to access approximately 14,000 23andMe accounts. Because of the DNA Relatives feature, which shares data between matched users, the attackers scraped personal and ancestry information of 6.9 million users in total. Stolen data included names, birth years, locations, ancestry results, and health-related genetic information.
The breach disproportionately targeted profiles identified as Ashkenazi Jewish and Chinese, with stolen data appearing on hacker forums within days.
23andMe Bankruptcy (2025)
In March 2025, 23andMe filed for bankruptcy, raising alarm about its genetic database of over 15 million customers. Attorneys general from more than two dozen states and members of Congress raised concerns that DNA data could be sold to a buyer with entirely different privacy commitments. Roughly 15% of customers requested data deletion following the announcement.
The bankruptcy court approved the sale of 23andMe's assets to TTAM Research Institute, founded by former CEO Anne Wojcicki. The episode exposed a critical reality: when a genetic testing company goes under, your DNA data becomes a corporate asset that can be transferred, sold, or repurposed.
Your DNA Data Is a Corporate Asset
When you submit a DNA sample to a testing company, your genetic information is typically governed by that company's privacy policy — not by law. If the company is sold, goes bankrupt, or changes its terms of service, the rules protecting your data can change overnight. Federal law provides surprisingly little protection for consumer genetic data held by private companies.
Immediate Steps If Your Genetic Data Is Leaked
If a genetic testing service you use has been breached, take the following steps as quickly as possible.
1. Request Data Deletion
Most genetic testing companies allow you to delete your account and associated data. Do this immediately if you no longer need the service.
- 23andMe: Sign in, go to Settings, scroll to "23andMe Data," click "View," then "Permanently Delete Data." Confirm via the email you receive. Also check your Preferences to ensure your physical saliva sample is destroyed.
- AncestryDNA: Go to your DNA Settings page and select "Delete Test Results." You can also request destruction of your physical sample separately.
- MyHeritage: Navigate to the Manage DNA Kits section in your account settings and select the delete option, or contact customer support to have both data and physical samples destroyed.
Be aware that deletion has limits. Any data you previously consented to use in research studies cannot be removed from completed or ongoing research, though it will not be used in future studies.
2. Secure Your Accounts
- Change the password on your genetic testing account and any other account that shares the same password
- Enable two-factor authentication (2FA) — 23andMe, Ancestry, and MyHeritage all now support this
- Review your account's sharing settings and revoke access to DNA Relatives or similar matching features
- Check the email account associated with the service for signs of compromise
3. Download Your Data Before Deleting
Before requesting deletion, download a copy of your raw genetic data and store it on an encrypted local drive. This way, you retain access to your results without depending on a company that may not exist next year.
4. Monitor for Identity Theft and Fraud
- Place a credit freeze at all three bureaus (Equifax, Experian, TransUnion) — this is free and prevents criminals from opening new accounts in your name
- Set up fraud alerts on your credit file
- Monitor financial statements for unauthorized transactions
- Watch for targeted phishing emails referencing your health or ancestry — attackers may use leaked genetic details to craft convincing scams
- Be alert for medical identity theft, where someone uses your information to obtain healthcare services or prescriptions
5. Alert Family Members
Because genetic data inherently involves relatives, notify close family members that your genetic information may have been exposed. They share your genetic markers and could be affected by discriminatory uses of the data even if they never took a DNA test themselves.
The Legal Landscape: What Protects You (and What Doesn't)
GINA: The Genetic Information Nondiscrimination Act
Enacted in 2008, GINA prohibits health insurers from using genetic information to make coverage decisions and bars employers from using genetic data in hiring, firing, or promotion. These are meaningful protections, but GINA has critical gaps.
What GINA Does Not Cover
GINA does not apply to life insurance, disability insurance, or long-term care insurance. Companies in these sectors can legally use genetic information to deny coverage or set higher premiums. GINA also does not regulate the military, employers with fewer than 15 employees, or consumer genetic testing companies themselves. The law protects you from discrimination — it does not prevent your data from being collected, sold, or leaked.
Other Legal Gaps
Some states have enacted stronger genetic privacy laws, and more than two dozen states sued 23andMe during its bankruptcy. But there is no comprehensive federal law governing consumer genetic data. HIPAA, which many assume applies, typically does not — consumer testing companies are generally not covered entities, meaning your genetic data has fewer legal protections than your medical records at a doctor's office.
Long-Term Risks of Genetic Data Exposure
The consequences of a genetic data leak can unfold over years or even decades:
- Insurance discrimination: While health insurers cannot use genetic data under GINA, life insurance, disability insurance, and long-term care insurers can — and in some cases do
- Employment risks: Though GINA prohibits employer discrimination, enforcement is difficult when leaked data circulates on the dark web
- Targeted scams: People with genetic predispositions to certain conditions may be targeted with fraudulent treatments, supplements, or clinical trial scams
- Familial exposure: Relatives who never opted in to genetic testing can be identified, located, or profiled based on a family member's leaked data
- De-anonymization: Supposedly anonymized genetic datasets can be re-identified by cross-referencing with public genealogy databases
- Future unknowns: As genetic science advances, today's raw data may reveal far more in the future than it does now
How to Protect Yourself Going Forward
Whether or not your genetic data has been leaked, these practices reduce your risk:
- Think carefully before testing: Consider whether the ancestry or health insights are worth the permanent privacy trade-off
- Read privacy policies: Before submitting a sample, understand what happens to your data if the company is acquired or goes bankrupt
- Opt out of research and matching: If you do test, disable DNA Relatives features and opt out of research programs
- Use a unique email and strong password: The 23andMe breach succeeded through credential stuffing — reused passwords from other breaches. Use a password manager to generate a unique, strong password for every service
- Request sample destruction: After receiving your results, request that the company destroy your physical saliva or DNA sample
- Monitor your digital footprint: Services like PrivacyOn provide continuous dark web monitoring that alerts you when your personal information appears in new breaches or on hacker forums. Combined with data broker removal, PrivacyOn reduces the personal information available to bad actors, making it harder to cross-reference leaked genetic data with your identity
The Bottom Line
Genetic data is the most personal information you can share with a company, and current laws have not caught up with the risks. The 23andMe saga — from a breach affecting nearly 7 million users to a bankruptcy that put 15 million customers' DNA in play — shows how fragile corporate data protection promises really are.
If your genetic data has been compromised, act quickly: delete your accounts, secure related credentials, freeze your credit, and alert your family. Once your DNA data is out there, you cannot take it back.