This is a free excerpt from one of Shortform’s Articles. We give you all the important information you need to know about current events and more.
Don't miss out on the whole story. Sign up for a free trial here .
Is your genetic data truly secure with direct-to-consumer DNA testing companies? What happens to your DNA information when these companies face financial troubles or security breaches?
23andMe’s problems of late highlight the risks of entrusting sensitive genetic information to private companies. From data breaches affecting millions of customers to financial struggles threatening the company’s survival, the situation raises serious concerns about genetic privacy and security.
Keep reading to learn about 23andMe’s recent problems and what they mean for the future of consumer genetic testing.
23andMe Problems & Implications
Mounting 23andMe problems are plaguing the Silicon Valley firm that previously rose to stardom. Financial struggles and a recent data breach raise concerns about the security of millions of customers’ genetic information. The company’s business model, which relies on one-time DNA test purchases, has led to a shrinking customer base, potentially prompting stricter oversight of genetic data handling in the industry.
We’ll look at 23andMe’s rapid rise and downward spiral, the risks customers face as the company struggles to survive, and how 23andMe’s challenges might reshape the future of consumer genetic testing and data privacy.
Context
Founded in 2006, 23andMe quickly rose to prominence in the direct-to-consumer genetic testing market by tapping into a fundamental human curiosity: understanding one’s genetic roots. The company offered customers unprecedented insights into their ancestry, ethnic background, and potential disease susceptibility, unveiling previously inaccessible family histories and genetic traits.
23andMe’s business model centered on a one-time purchase of a DNA testing kit, making genetic information widely accessible. Customers simply bought a kit, sent in a saliva sample, and received detailed reports on ancestry and potential health risks. This straightforward approach fueled 23andMe’s initial success, attracting 15 million customers since its founding. But the model that drove the company’s rapid growth has contributed to its current challenges.
(Shortform note: According to entrepreneur Steve Blank in his book The Four Steps to the Epiphany, a startup’s business model should be shaped by the customer development process. Customer development prioritizes understanding customers and their needs from the very beginning. It isn’t simply a sales or marketing process but a distinct set of activities aimed at proving market existence, verifying customer willingness to pay, and creating the market itself. It’s a process of learning about your customers and their problems, which Blank argues should occur as early in the startup process as possible. In his book, Blank highlights some of the ways in which relying exclusively on product development—without customer development—can lead startups to fail.)
23andMe’s Problems
23andMe’s rise has been followed by a series of challenges that threaten its existence. These include:
- Financial troubles. The company has never turned a profit in its 18-year history and faces declining sales due to increased market competition. In the first quarter of 2024, 23andMe’s revenue dropped 34% from a year earlier, to $40 million. These factors have contributed to a major stock price decline since the company’s 2021 public debut at a $6 billion valuation, with shares falling from $10 to less than $1 each. The company’s market value has plummeted to approximately $150 million, and it’s at risk of being delisted from the stock exchange.
- Data breach. In September 2024, 23andMe settled a $30 million class action lawsuit for a 2023 data breach that potentially compromised the personal information of 6.9 million customers.
- Leadership crisis. A week after the data breach settlement, seven of 23andMe’s eight board directors resigned, citing frustration with the company’s direction. The one remaining member, CEO Anne Wojcicki, subsequently proposed taking the company private at 40 cents per share before quickly reversing course, underscoring the uncertainty around 23andMe’s future and leadership strategy.
- Shrinking demand and failed diversification. The company faces a shrinking pool of potential customers, as most people who take its genetic test have no need for repeat testing. To counter this, 23andMe attempted to diversify by offering premium subscriptions and entering the telehealth market.
What This Means for Customers
The challenges facing 23andMe raise significant privacy concerns for users. Federal health privacy laws such as HIPAA don’t apply to direct-to-consumer genetic testing companies, which means customers’ genetic data has limited legal protections. Further, genetic information, unlike other personal data, can’t be changed if compromised, exposing users to potential privacy risks that could last a lifetime.
(Shortform note: In Our Bodies, Our Data, Adam Tanner explains that HIPAA protects only health data with identifiable info and applies only to providers, payers, and clearinghouses [so-called “covered entities”]. Other parties can bypass this with a loophole. Tanner also contends that there’s a general public indifference about privacy. A majority of people don’t opt out of anonymized sharing when given the option. Also, sites such as Facebook and Google train people to expect a lack of privacy in their everyday life.)
Complicating matters further, while most 23andMe customers agree to include their genetic information in medical research, many may not fully grasp the scope of this consent: A 2017-2018 survey revealed that over 40% of users were unaware the company was analyzing and sharing their data.
In light of 23andMe’s uncertain future, privacy advocates are urging customers to close their accounts and request the company delete their personal data. This precaution aims to mitigate risks if the company is sold or faces bankruptcy—situations where customer data could change hands or be at increased risk of exposure.
However, 23andMe is legally required to retain certain information even after deleting user accounts, including genetic data, date of birth, and sex—limiting customers’ ability to fully remove sensitive information from company databases.
Long-Term Implications
23andMe’s uncertain future raises questions about the long-term privacy and security of customers’ genetic data. As DNA analysis technology advances, the company’s vast database could reveal new health information from existing DNA data—potentially beyond what users initially consented to share. This technological evolution, combined with 23andMe’s recent security breaches and financial instability, could trigger increased regulatory scrutiny and new laws governing genetic data management.
The company also faces growing pressure from law enforcement agencies seeking access to its genetic database. Since 2015, 23andMe has received subpoenas demanding genetic data for 15 individuals, though the company asserts it’s resisted these requests and maintains a policy against granting police access to its database.
As 23andMe’s financial struggles continue, the pressure to monetize its valuable data assets or comply with legal demands may intensify, further jeopardizing customer privacy and potentially reshaping the future of consumer genetic testing.
Reflection & Discussion Questions
- How might our attitudes toward sharing genetic data change if we fully understood the long-term implications of this information being stored by private companies?
- What responsibility do companies like 23andMe have to protect customer data beyond their legal obligations, especially considering that genetic information, unlike passwords or credit card numbers, can’t be changed if compromised?
- Should genetic testing companies be required to operate under stricter privacy regulations similar to HIPAA, or is the current self-regulatory approach sufficient?
- How do we balance the benefits of large-scale genetic research, which could lead to medical breakthroughs, with individual privacy rights and data protection?
- What lessons can other tech companies learn from 23andMe’s business model challenges, particularly regarding the limitations of products that only need to be purchased once?
- Given the increasing pressure from law enforcement to access genetic databases, how should companies navigate the competing interests of public safety and customer privacy?
Want to fast-track your learning? With Shortform, you’ll gain insights you won't find anywhere else .
Here's what you’ll get when you sign up for Shortform :
- Complicated ideas explained in simple and concise ways
- Smart analysis that connects what you’re reading to other key concepts
- Writing with zero fluff because we know how important your time is
