A few years ago, mailing off a tube of saliva to 23andMe felt like the future. You could learn about your ancestry, your genetic risk for heart disease or diabetes and maybe even connect with long-lost relatives.
Georgia Attorney General Chris Carr is now imploring residents to delete their data and accounts, after the company filed for bankruptcy this week.
With its bankruptcy filing, “this sensitive data could be considered an asset, and as such, it could be sold or transferred to a third party,” Carr’s office wrote in a statement. “For this reason, the Attorney General’s Consumer Protection Division urges Georgians to review their privacy options and strongly consider deleting their accounts.”
Emalyn Cork, a genetic counselor at Emory Healthcare and instructor at Emory School of Medicine, isn’t surprised by the headlines.
“This is something clinical genetics has been screaming about for years,” she said in an interview with The Atlanta Journal-Constitution. “It was never really about the reports people got back — it was always about the data. People were essentially selling their genetic data for $100, and what they got in return was, to me, not valuable. It’s not medically actionable.”
Cork, who works in clinical genetics, stressed that 23andMe’s reports are like comparing a smartwatch to a hospital monitor. The data can be interesting, maybe even helpful, but it’s nothing compared to clinical-grade testing.
So what happens to the data 23andMe has collected from more than 15 million users?
Unlike health care providers, the company isn’t bound by HIPAA, the federal law that protects your medical privacy. Instead, only limited federal protections apply — most notably, the Genetic Information Nondiscrimination Act, which prevents employers and health insurers from discriminating based on your DNA. But even GINA has its gaps. For instance, it doesn’t cover individuals in the military, and it doesn’t apply to long-term care or disability insurance.
“There’s just not enough federal protection,” Cork said. “Legally, a new buyer could access and use your data in ways we may not fully understand for years.”
Worried about your DNA data? Here’s what you can do
Experts are urging users to take action now. If you’ve used 23andMe and are concerned about where your data might end up, here’s how to protect yourself, according to the Georgia Attorney General’s Consumer Protection Division.
- Go to 23andMe.com and sign in to your account.
- Click on your profile in the upper righthand corner of the site, then click “Settings.”
- Scroll to the section at the very bottom of the page called “23andMe Data” and click the oval button that says, “View.”
- Check the boxes of any data you would like to download and click “Request Download.” This step is optional and can take up to 30 days. You can continue with the following steps while you wait.
- Scroll to the bottom of the page and click the red button that says, “Permanently Delete Data.”
- You will receive an email with the subject line “23andMe Delete Account Request.” Open it, and click the button that says, “Permanently Delete All Records.” Your data will not be deleted unless you complete this step.
For additional information on how to delete your 23andMe account, visit the following page on the company’s website: Requesting 23andMe Account Closure.
“If you’re concerned, delete it,” Cork said. “They say it’s permanently removed. We have to take them at their word — but it’s the safest step you can take.”
If you’re still interested in learning about your health through genetics, Cork recommends skipping the gimmicks and looking to clinical-grade labs like Invitae or Color Genomics.
“They’re considered HIPAA-covered agencies, and the tests are more accurate,” she said. “It might cost a little more up front, but your privacy is far better protected.”
Cork’s final note: “Your DNA is the most personal data you have. It’s worth more than a hundred bucks — and it deserves to be protected like it.”
About the Author
Keep Reading
The Latest
Featured