NE Washington News

Congressional leaders have raised questions about the privacy and security of sensitive data held by 23andMe, following the genetic testing company's recent Chapter 11 bankruptcy filing. Congressman Brett Guthrie, alongside Congressmen Gus Bilirakis and Gary Palmer, expressed their concerns about the potential handling of Americans' personal information amidst the financial proceedings.

In a letter addressed to 23andMe, the lawmakers outlined their apprehensions regarding customers' private data as outlined in the company's privacy statement. "According to 23andMe’s privacy statement, in a bankruptcy, customers’ ‘Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to [customer] Personal Information as transferred to the new entity.’ Additionally, a judge recently ruled 23andMe has the right to sell the sensitive medical and genetic information of its 15 million customers, which is considered to be the company’s most valuable asset. With the lack of a federal comprehensive data privacy and security law, we write to express our great concern about the safety of Americans’ most sensitive personal information."

The lawmakers' letter poses several inquiries to 23andMe about future plans regarding the protection of the data, in case it is sold as a standalone asset or as part of a larger sale. They are seeking clarity on the measures 23andMe plans to adopt to ensure compliance with its privacy statement and whether any changes to the privacy statement will be made before any data sale occurs.

Additionally, the congressmen are asking for details on how 23andMe will vet potential buyers of the information, the categories of data they hold and may consider selling, and whether the company has informed its customers of their bankruptcy status. They also inquired about customers' abilities to delete their information and how many have already attempted to do so.

The letter also highlights the potential sale of information for which customers have requested deletion, asking if selling such data aligns with 23andMe's privacy policy and whether they will de-identify personal information before any sale.

The discussion highlights potential gaps in federal data privacy protections, as direct-to-consumer companies like 23andMe are generally not covered by the Health Insurance Portability and Accountability Act (HIPAA), which protects health information when collected by certain covered entities.

The matter has gained attention as millions of Americans' personal, medical, and genetic information could potentially be accessed under the proceedings of 23andMe's bankruptcy case. The company's response to these questions and concerns remains to be seen as lawmakers await an answer.