Data Privacy
,
Data Security
,
Healthcare
Letter to Bankruptcy Trustee Says 23andMe’s Privacy Promises Must Carry Over
The Federal Trade Commission sent a letter to 23andMe’s bankruptcy trustees on Monday saying that any sale of the genetic testing firm or its assets will be subject to the company’s previous pledges to consumers involving the privacy and security of their sensitive information and biological samples.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
FTC Chair Andrew Ferguson in the letter to the U.S. trustees handling the administration of 23andMe’s bankruptcy filing, said the FTC has “interests and concerns” relating to the potential sale or transfer of millions of American consumers’ sensitive personal information.
23andMe filed for Chapter 11 bankruptcy protection on March 23 in a Missouri federal court (see: 23andMe Bankruptcy: What Does it Mean for Data Privacy?)
“As you may know, 23andMe collects and holds sensitive, immutable, identifiable personal information about millions of American consumers who have used the company’s genetic testing and telehealth services,” Ferguson wrote.
Data includes genetic information, biological DNA samples, health information, ancestry and genealogy information, personal contact information, payment and billing information and other information, such as messages that genetic relatives can send each other through the platform, he said.
“23andMe recognizes the unique sensitivity of the information it collects and maintains and has made direct representations to its users about how it uses, discloses and protects their personal information, including how personal information will be safeguarded in the event of bankruptcy,” he said.
That includes 23andMe in its privacy statement to consumers pledging that it does not share personal information with insurance companies, employers, public databases or law enforcement, absent a valid court order, subpoena or search warrant.
“The company also tells users that it restricts the use and sharing of personal information to what is necessary to provide its services, and that it shares personal information with a limited number of service providers who are contractually bound to protect the confidentiality and security of user personal information,” he said.
In addition, 23andMe’s medical record privacy notice promises that unless the company has received a consumer’s specific authorization, it will not disclose any of the individual’s genetic information as part of their medical record Information to third parties, Ferguson wrote.
On top of that, 23andMe’s privacy statement says that if the company is involved in a bankruptcy, merger, acquisition, reorganization or sale of assets, “your personal information may be accessed, sold or transferred as part of that transaction and this privacy statement will apply to your personal information as transferred to the new entity,” the letter said.
“The FTC believes that consistent with Section 363(b)(1) of the Bankruptcy Code, these types of promises to consumers must be kept,” Ferguson wrote.
“This means that any bankruptcy-related sale or transfer involving 23andMe users’ personal information and biological samples will be subject to the representations the company has made to users about both privacy and data security, and which users relied upon in providing their sensitive data to the company,” he said.
“Any purchaser should expressly agree to be bound by and adhere to the terms of 23andMe’s privacy policies and applicable law, including as to any changes it subsequently makes to those policies,” he said.
Neither 23andMe nor the U.S. trustees administrating the company’s bankruptcy immediately responded to Information Security Media Group’s requests for comment on the FTC’s letter.
Previous Breach
23andMe is offering consumers the right to delete their data and revoke any consent individuals provided for their information to be used for research.
Some subscribers of 23andMe have already been affected by a hack. In October 2023, the company confirmed a credential-stuffing incident involving information scraped off the profiles of 23andMe users who opted in to using the company’s DNA Relatives feature. DNA Relatives connects 23andMe users with genetic distant relatives – or other 23andMe users who share bits of DNA (see: 23andMe Investigation Apparent Credential-Stuffing Hack).
The company said the intruder was able to access about 14,000 user accounts, less than 1% of the company’s existing 14 million 23andMe customers.
But threat actors claimed on the dark web to have stolen “20 million pieces of code” from 23andMe. According to media reports, the leaked data that was put up for sale pertained to 23andMe users with certain DNA ancestry backgrounds, including 1 million lines of code about people with Ashkenazi Jewish DNA ancestry (see: 23andMe Says Hackers Stole Ancestry Data of 6.9M Users).
Last fall, 23andMe agreed to a proposed $30 million settlement of about 40 consolidated class action lawsuits that were filed against the company related to the breach (see: 23andMe to Pay $30M for Credential Stuffing Hack Settlement).