It’s 10 p.m. Do you know where your DNA data is?
By 
Delete your account. But for real.
23andMe has declared bankruptcy, which means all of its customers’ DNA data and saliva samples are on the market. Most of the data was swept up in a massive breach a couple of years ago, but samples are still out there.
California Attorney General Rob Bonta said in a consumer alert last week that residents should “consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material” the company has.
Bernstein of the Electronic Privacy Information Center said any concerned 23andMe customers should delete their data, request that their saliva sample be destroyed and revoke any permissions they may have given to use their genetic information for research.
I’m not going to denigrate people who use these services. But when home DNA collection kits come up in conversation I will explain why they’re a bad idea. At length. Until my audience falls asleep, flees or gives me food to make me stop talking. (Also, health apps not covered by HIPAA. Especially the ones that track menstruation, as Imani Gandy warned a few months back.)
However, I will say that the company is not being as straightforward as it could and should be.
In an FAQ about the bankruptcy posted on its website, 23andMe said a new owner would have to abide by “applicable law” governing the use of user data, but data privacy experts say there isn’t much on the books.
Meaning, what? As the article explains HIPAA doesn’t apply because the company isn’t subject to HIPAA rules. I think this is where even savvy people get confused, hence I’m not going to waste time ragging on people who use DNA kits or health apps. People are aware that there’s a law that protects medical information, DNA is medical information, therefore it must be protected by that law. They don’t know that there’s another part to the law. And there’s also GINA, but that prevents employment discrimination. Again, not relevant.
23andMe also says any genetic data it shares with researchers is stripped of identifying information, such as names and birth dates. In its bankruptcy FAQ, the company said it hopes to “secure a partner who shares in its commitment to customer data privacy.”
But if the highest bidder doesn’t share that commitment? Whoospie doodle, I guess.
Delete your account. If you don’t have an account, tell your friends and relatives who do.
