23andMe: The Gift That Keeps on Giving

December 20, 2023 • Posted in Blog
Joyce A. Shelton, Ph.D.
Professor of Biology Emerita
Trinity International University

23andMe is a leading provider of personalized genetic testing (screen shot of product above). For $229 and a test tube of spit, anyone can have their DNA analyzed and receive direct reports on their ancestry, genetic traits, health risks and pre-dispositions, carrier risks and more. Consumers are also invited to share their genetic information with relatives and healthcare professionals and they can choose to have their “de-identified” data shared with pharmaceutical and medical research companies for the development of new drugs and treatments. About 80% of consumers agree to share their personal data. Exploring the implications of one’s genetic profile is extremely popular. 23andMe reports earnings of over 300 million dollars in 2023 and boasts 14 million customers.

Recently, the vast 23andMe genetic data base was hacked and the genetic profiles of 6.9 million customers were stolen. Data compromise was perhaps inevitable despite claims that their privacy statement is one of the strictest and their cybersecurity is strong. Companies that have data sharing of any kind baked in to their services are vulnerable, no matter what they say. If you or your relatives have ever had your DNA analyzed or have had any thoughts about doing so, this data hack should be of concern to you.

The 23andMe data breach affords an excellent opportunity to consider the concerns around sharing our personal genetic information, most of which have to do with confidentiality. Journalist Charles Seife encapsulates the issue, describing 23andMe’s personal genome service as beyond medical, it is “a one-way portal into a world where corporations have access to the innermost contents of your cells and where insurers, pharmaceutical firms and marketers might know more about your body than you know yourself.” Yes, Yikes!

Most consumers are not very savvy about issues of privacy when it comes to data sharing. They frequently share their names, email addresses, bank card account numbers, social security numbers, and much, much more personal information on the internet with no qualms whatsoever. They simply do not realize that personal genetic data is unique among all these other things. It is the ultimate identifier. Not only is it the most intimate, immutable, individual information that you own, but sharing it also reveals private details about your relatives as well, perhaps without their knowledge or consent. Likewise, your relatives who have shared their DNA have revealed private information about you.

Privacy statements are designed to protect the provider of service, not you. We have all encountered, and signed without reading, insanely long, complex privacy statements on websites, before doctor visits, and from social media. These entities can do pretty much anything as long as they put it in their privacy statement and they are banking on consumer ignorance. Moreover, privacy policies by corporations are subject to change. In the aftermath of the recent hacking, 23andMe quickly announced changes to their terms of service, requiring that all complaints be handled individually through arbitration, ostensibly to “encourage a prompt resolution of any disputes” but one could reasonably question if it was done to prevent costs and public accountability for the data loss by banning law suits of any kind.

When you send off your spit to be analyzed, you completely lose control of any data it generates. While the company may claim that you can opt out of sharing your genetic information at any time, there is no guarantee that data already given to research partners will be pulled back, nor do you receive any proof that data sharing has been discontinued. The current rules and regulations regarding use of genetic data are inadequate. Laws enacted 15 years ago through the Genetic Information Non-discrimination Act regulate the use of genetic data by employers and insurance providers. They do not apply to personal genome companies. 23andMe also claims that use of their data base “does not constitute research on human subjects”, which essentially declares that they are not subject to regulations that protect the rights of research subjects. Research companies pay a premium to 23andMe for the use of their data base, income that increases their profits way more than the purchase of test kits. So, while it may seem altruistic to share your information toward advances in medicine, when it comes to safeguarding your welfare, it is valuable to remember where loyalties lie.

The hackers of 23andMe have already offered the genetic and non-genetic personal data they scraped for sale on the internet. 23andMe is in recovery mode, claiming to have enhanced their security and offering their kits at a 40% discount for Christmas. But the horse is out of the proverbial barn and no amount of repairing the door will retrieve it. A 23andMe personal genome kit may sound like an entertaining and relatively inexpensive gift for family, friends or yourself this year. My advice is to consider an ugly Christmas sweater instead and be careful with whom you share your priceless genetic data.

The Tennessee Center for Bioethics & Culture encourages respectful discussion and debate of bioethics issues, and strongly supports freedom of speech. To that end, we invite and welcome other voices to the discussion of bioethics issues. Invited authors’ views are their own, and do not necessarily represent those of The Tennessee Center for Bioethics & Culture.