On March 23, 2025, 23andMe, a pioneer in direct-to-consumer genetic testing, filed for Chapter 11 bankruptcy protection in the U.S. Bankruptcy Court for the Eastern District of Missouri, signaling the end of a tumultuous chapter for the company once valued at $6 billion in 2021. The filing came after years of financial struggles, a 2023 data breach exposing the personal information of nearly 7 million users, and a leadership crisis that saw CEO Anne Wojcicki and the entire board resign in 2024. Wojcicki, who is now attempting to buy the company and take it private, has left 23andMe’s future uncertain, with a court-supervised sale process underway to maximize asset value. The company has secured $35 million in financing to continue operations during the sale, but its stock plummeted 50% to 88 cents on March 24, reflecting deep investor skepticism about its survival.
 

The bankruptcy raises significant concerns about the fate of the genetic data belonging to 23andMe’s 15 million customers, a massive database that includes ancestry details, health predispositions, and raw genomic sequences. The company’s privacy policy explicitly states that in the event of a bankruptcy or sale, personal information may be “accessed, sold, or transferred” as part of the transaction, a clause that has alarmed privacy advocates. While 23andMe insists there are “no changes” to how it currently manages or protects data, the potential for a new owner to rewrite these policies is a real threat. Possible buyers could include pharmaceutical giants like GlaxoSmithKline (GSK), which has already used 23andMe’s de-identified data for drug research, or less regulated entities that might exploit the information for profit—potentially leading to targeted marketing, insurance discrimination, or even law enforcement use, as seen in cases like the Golden State Killer investigation where genetic databases were accessed to identify suspects.
 

The lack of robust federal protections exacerbates these risks, as 23andMe is not subject to HIPAA, which governs healthcare-related data, leaving customers vulnerable to the whims of a new owner. The Genetic Information Nondiscrimination Act (GINA) of 2008 prevents health insurers and employers from using genetic data, but it doesn’t cover life, disability, or long-term care insurers, creating significant gaps. Some states, like California, have stricter privacy laws requiring consent before data transfers, and California Attorney General Rob Bonta has urged users to delete their data and destroy samples. However, even deletion isn’t foolproof—data already shared with research partners can’t be retrieved, and 23andMe retains certain information for up to three years to comply with legal obligations. This situation underscores a broader tension between commercial interests and individual privacy, echoing historical power struggles where personal autonomy is sacrificed for profit or control, much like the political maneuvers you’ve explored in other contexts. The fate of this genetic data will likely test the limits of privacy in the digital age, with outcomes that could range from benign research advancements to dystopian misuse.