by Joyce A. Shelton, Ph.D.
Professor of Biology Emerita Trinity International University
23andMe, the personal genetic testing company is drowning. Around this time a year ago, we wrote about the massive database hack in which the genetic profiles of 6.9 million 23andMe customers were stolen and offered for sale on the internet, a severe attack on their privacy. Since then, the once thriving company has been on a steadily downward trajectory. Pretty quickly they were hit with a $30 million class action lawsuit resulting in $10,000 individual payouts to victims. Two months ago their stock was in serious trouble and their entire board of directors resigned except for their CEO, Anne Wojcicki. This month they announced a 40% layoff of personnel along with the news that they were discontinuing all of their drug therapy development programs. It’s no wonder that their new customer enrollment and annual income are also way under water.
Should the decline of 23andMe concern you?
If you or any of your relatives thought (along with 14 million other consumers), that it was a harmless lark to buy one of their testing kits, spit into one of their tubes, and send it off for analysis so that you could learn some cool things about your ancestry and DNA make-up, the answer is a resounding YES. 23andMe now owns your personal genetic information. After their data hack last year, they had to admit that their security was lacking for the storage of this very private information and they claim that they have now beefed it up. All well and good, but all bets are off now that the company’s future existence is insecure. Anne Wojcicki has said she wants to retain ownership of the company and take it private, but she also acknowledged that she has considered selling it. In either case, restructuring or a complete re-envisioning of the company under new ownership could lead to major concerns regarding the continued security and privacy of their former customers’ stored genetic data.
What can you do at this point?
First, if you have been a customer, consider closing your account and deleting your genetic data from 23andMe as soon as you can, while you still can, and encouraging your relatives and friends to do the same. The 23andMe website provides a procedure for doing so. You are trusting them, with no means of verification, to take the good faith action of erasing your genetic profile and tossing out your spit sample. Note their caveat that If you participated in 23andMe Research, your Personal Information will no longer be used in any future research projects….We will retain limited information about you, including records of this deletion request, and other information as required by law and otherwise described in our Privacy Statement (emphasis added). Translated, this statement means that your genetic data and your non-genetic personal information are not entirely removable, but, regrettably, this action is your best available option. Second, be wary about sharing your genetic data again if you have already done so, or sharing at all if you haven’t yet. Data privacy simply cannot be guaranteed. The business of collecting personal genetic information is lucrative and exceedingly useful for medical/pharmaceutical research and development and forensics. This means that there are still many direct-to-consumer personal genetic data companies (Ancestry.com, MyHeritage and Color Genomics, to name a few) as well as many other organizations and initiatives that are alive and well, and continuously seeking more personal genetic information for their ever-expanding databases.
You may not have control over who has access to your records.
Digital database security breaches are increasing in frequency. In addition, companies like 23andMe are not covered by HIPAA (patient privacy) laws, because they are not medical providers. Nor are there any other robust legal boundaries on their actions. Corporate terms of use and confidentiality statements tend to protect the interests of the service provider–not the consumer– and can be changed on short notice, particularly when a company changes hands. The Genetic Information Nondiscrimination Act (GINA) is meant to protect individuals from employers and health insurers who would use genetic test results to discriminate against them. There are, however, some notable exclusions from GINA oversight, which include life insurance, disability, and long-term care insurance. Whether or not 23andMe disappears, serious concerns regarding infringements of privacy and autonomy and the use of personal genetic information without true informed consent will not be disappearing any time soon.
The downfall of 23andMe serves as both a lesson and a warning. It is natural to want to know more about who we are and who our ancestors were. Genetics gives us a window into that knowledge, but seeking it can come with a cost. We should be aware that our genetic information is the ultimate individual identifier and, as such, it is invaluable private information that should not be shared lightly with entities focused primarily on self-gain, however altruistic their rationales may sound. Keep it to yourself.
The Tennessee Center for Bioethics & Culture warmly welcomes new board member, Joyce A. Shelton, Ph.D.
See related CNBC video here:
