Various corners of the media and internet are hyperventilating over the alleged genetic privacy implications of the imminent Chapter 11 bankruptcy of the direct-to-consumer genetic testing company 23andMe.
“Delete your DNA from 23andMe right now,” yelps a headline over at The Washington Post. Why? “Unless you take action, there is a risk your genetic information could end up in someone else’s hands—and used in ways you had never considered,” ominously warns Post journalist Geoffrey Fowler. NPR reports that Suzanne Bernstein, counsel at the nonprofit Electronic Privacy Information Center, advises that any concerned 23andMe customers should delete their data, request that their saliva sample be destroyed, and revoke any permissions they may have given to use their genetic information for research. “This is just the first example of a company like this with tremendous amounts of sensitive data being bought or sold,” she added. California Attorney General Rob Bonta urgently issued a consumer alert reminding “Californians of their right to direct the deletion of their genetic data under the Genetic Information Privacy Act (GIPA) and California Consumer Privacy Act (CCPA).”
Calm down people. Genetic data are not especially toxic or extraordinarily dangerous. Nor are the privacy implications all that dire, especially compared to other widely available and easily deployed surveillance tools. It is true that your genome is a permanent and immutable marker of your personal identity, but so too are your fingerprints and your face. The FBI’s Next Generation Identification system contains the fingerprints of more than 186 million criminal, civil, and military individuals. (As a twenty-something, I worked briefly as a federal bureaucrat so my fingerprints are definitely in the system.) While fingerprints have to be collected onsite and compared using offsite databases, facial recognition cameras with real-time database matching can become ubiquitous, able to track you nearly everywhere you go in public. Your face may be your passport but it’s also your snitch.
Another often-expressed concern is that your genetic data could be used to identify relatives who have committed crimes. Police are now regularly using forensic genetic genealogy to identify suspects. They compare a DNA sample from a crime scene with commercial DNA databases, searching for genetic similarities among customers who may be relatives. Genealogists then identify likely suspects by cross-referencing the genetic data with traditional genealogical sources, such as census records, birth and death certificates, and so forth. It is worth noting that 23andMe requires a warrant to release customer data to the police, unlike some other direct-to-consumer genetic testing companies. In addition, the FBI’s National DNA Index contains over 18,135,382 offender profiles, 5,774,055 arrestee profiles, and 1,391,726 forensic profiles as of January 2025.
Data deletion alarmists point out that 23andMe suffered a data breach in 2023 in which the records of nearly 7 million of its customers were stolen by a hacker. Sounds bad, but do you know who else suffered recent data breaches? Hospital and medical records companies: some 2.7 million patient records held by ESO Solutions; 9 million held by medical transcription firm Perry Johnson & Associates; 8.5 million at Welltok; and 11 million at HCA Healthcare. All of these were just in 2023. Overall, healthcare breaches exposed 385 million patient records between 2010 to 2022.
Hackers typically demand a ransom to unencrypt pilfered files, but also often engage in double extortion by also threatening to publicly release them. Medical records companies pay because they fear that data exposure can lead to legal consequences, regulatory fines, and reputational damage. Much less commonly, hackers try to blackmail individual patients. A couple of such instances involved attempts to blackmail patients at a Finnish mental health clinic and a Florida plastic surgery practice.
Compare the consequences of these non-genetic database breaches to how information from the 23andMe data breach could supposedly be misused. One suggestion is that your genetic data might be used to blackmail you. If you’ve committed an unsolved murder or a rape or have produced stray progeny, you might worry about the prospect of blackmail. Data such as names, addresses, and birth dates stored by 23andMe might be used to impersonate you, but that is not a risk particular to the genetic information collected by 23andMe. More far-fetched is the notion that your genetic data might somehow contribute to the creation of a bioweapon.
But what about genetic discrimination? The Genetic Information Nondiscrimination Act of 2008 (GINA) forbids employers and health insurers from requiring genetic data from you or using it to discriminate against you. For example, health insurers may not use genetic information to determine if someone is eligible for insurance or to make coverage, underwriting, or premium-setting decisions.
However, GINA does not cover life, disability, or long-term care insurance. So far, Florida is the only state that forbids life and long-term insurance providers to cancel, limit, or deny coverage or establish differentials in insurance rates based on genetic information. In any case, no life insurance companies so far require any genetic testing or access to direct-to-consumer genetic data when issuing policies. They can, however, consider any genetic data that is included as a matter of course in a person’s medical records, which somewhat paradoxically can lead to insights about a patient’s genetics.
Let me use myself as an example. A few years back I was seeking to purchase some additional life insurance, which involved disclosing my medical records, a physical exam, and some blood tests. Based on a specific blood test revealing slightly elevated NT-ProBNP levels, the company doubled its offered premium. I turned down the insurance, but I was intrigued by the data suggesting possible heart failure.
To make a long story short, MRIs found that I did have a touch of hypertrophic cardiomyopathy (HCM) that has very slightly thickened the walls of my left ventricle. Initial genetic testing by Invitae reported an inconclusive test result showing a change in the TNNC1 gene that may or may not cause or contribute to HCM. Subsequent evaluation eventually concluded that the variant does contribute to HCM. Hopefully, the information about my TNNC1 variant will be of use to others in the future. The good news is that the interaction of that genetic variant with my environment has resulted in a very mild version of the malady, such that my cardiologist assures me my HCM genetics is not what is going to kill me.
More cases of non-genetic medical tests uncovering genetic contributions to ailments are already on the way. For example, recent very accurate blood tests can diagnose the development of Alzheimer’s disease years in advance. Whereas tests for gene variants associated with late-onset Alzheimer’s identify increased risk of the malady. For what it’s worth, my 23andMe test results tell me that I do not carry the Alzheimer’s high-risk APOE4 variant. So far as I can tell, no life or long-term care insurance companies are requiring such blood tests yet, but given my NT-ProBNP experience, they will likely include them soon. And insurers doubtlessly will now take Alzheimer’s blood test results into account if they turn up in your medical records.
Let’s consider privacy with respect to medical versus genetic data. All of us experience some self-consciousness about the infirmities and illnesses that inevitably afflict us. That self-consciousness stems partially from the fact that none of us wants to be regarded by others as weak and incompetent, unable to pull our own weight. Our medical records document the toll that time takes on our bodies. So privacy protections (the damnable Health Insurance Portability and Accountability Act—a topic for another time) are supposed to provide us with some measure of control over what we reveal to others as we curate our public images as independent and capable agents.
But how self-conscious should a person be about their genetic information? I interviewed Michael Cariaso, developer of the online genetic analysis tool Promethease, for my 2011 article on the early days of direct-to-consumer genetic testing. Asked why he had not publicly posted his genetic testing results, he responded, “someone later might discover that I have genes for a short penis and low intelligence.” Undeterred by similar concerns, I posted online my 23andMe genetic screening results at SNPedia, where I invite anyone to review my numerous genetic flaws.
My 23andMe health predisposition reports suggest that I have gene variants that put me at higher risk for coronary artery disease, gallstones, non-alcoholic fatty liver disease, atrial fibrillation, and severe acne. I list those specifically because I have recently had medical tests that show no coronary artery blockages, no gallstones, a normal liver, and a regularly beating heart. I confess that I had a morbidly bad case of acne back in high school. With respect to the other high-risk variants identified by my genetic screening tests, none have resulted in any noticeable illnesses as yet. Other genes (certainly not my clean living) not sequenced or identified yet by 23andMe are likely counteracting the deleterious effects of the higher-risk variants.
Clearly, I think that the deletists’ claim that the genetic information held by 23andMe is especially “sensitive” is wrong. I invite my fellow 23andMe customers to consider why nearly 80 percent of you agreed to participate in 23andMe research efforts. Besides hoping to gain some insights about yourself, you also want to help advance medical science. The company may or may not survive, but its stored genetic data remains a scientifically and medically valuable resource that some other research firm or institution may use to help develop new treatments and cures. Keep that in mind and resist being panicked into deleting your data for some speculative gain in privacy.
