Deleting Your 23andMe Data Isn’t Enough — Make Sure You Do This First

You probably don’t want your genetic data — which can reveal health information and at-risk medical conditions — out there for just anyone to see, but that is the fear for many folks right now as 23andMe, an online genetic testing company, announced it’s filing for bankruptcy.

The company has more than 15 million users who have used the service to learn more about their ancestral history and genetic health. Meaning, the company has lots and lots of valuable and highly personal data that is now at risk of being sold to another company, which is not a good thing.

The company has demographic data, in addition to potential information on your genetic health risks and mental health conditions.

Kevin Johnson, the CEO of Secure Ideas, a security testing and consulting company, worries about the wrong hands getting ahold of this health information. For instance, a health insurance company that gains access to this info could potentially refuse to cover your medical benefits after seeing your health risks, Johnson noted, and the same can be said for a life insurance company.

The clear best thing to do here is delete the data that 23andMe has on you, which has been suggested by many folks, including the California attorney general and the experts who spoke to HuffPost. But there is more to consider when it comes to this potential cybersecurity and health security risk. Here’s what experts say:

While it is suggested that you put in a request to have your 23andMe data deleted, there are a few things you should do first.

If you don’t want your personal information potentially transferred to a third party, you should log into your 23andMe account and opt out of the privacy and data-use settings you see fit, said Chris Pierson, the CEO of BlackCloak, a cybersecurity company.

There are multiple items that you can opt in to or opt out of such as research participation, storage of your DNA sample, communication preferences, genetic health risk info and more, he said.

“23andMe has a very robust privacy policy and the ability to opt in or opt out at a very, very granular level on those items, which is to the customer’s benefit,” Pierson added.

So, before you request that your data and account be deleted, you’ll want to log into your account, go to your settings and see what you’re opted in and opted out for and “change your settings so they reflect what you actually would like to have happen. That way it’s saved to your account,” he noted.

You likely signed up and paid for 23andMe to learn something about yourself. If you want to still have record of this data, Pierson suggests that you download your data from the app before going through with the deletion request.

“Now, the only caveat to that is if you’re going to download that data, make sure that you are able to store it in a secure place. Make sure your email has dual-factor authentication turned on to it so somebody can’t simply steal that data or that information from your email account or from your computer,” he said.

Experts told HuffPost that it’s worthwhile to delete your 23andMe data.

You can do this in the settings tab of the app, where you’ll find the “23andMe data” section. Here, you can select delete data and then permanently delete data. This is the most the average person can do, but will requesting the deletion of your data actually mean it’s totally gone? Some experts say yes, it should, while others aren’t so sure.

Pierson falls in the camp of yes: “Any company that allows for the deletion of data is entering into a contract with you, the consumer, by which, if you request your data be deleted, then the company must follow through on that requirement and on that promise, and so they must delete the data,” and added that companies do data backups periodically, so it may take some time for all of your data to be gone.

But since our data is in lots of places, Alex Hamerstone, the advisory solutions director for TrustedSec, an ethical hacking company, is unsure if deleting your data really does much. “A lot of companies with whom we share our data also share it with other companies,” Hamerstone said. For instance, oftentimes when there’s a data breach, it’s a breach of the service provider a big-name company was using, Hamerstone explained.

Deleting your data from 23andMe is no doubt a good idea, but that information could still be out there with other companies. “If you asked to have your data removed, even if they make a best effort in good faith, what if they don’t actually know everywhere that data is? What if it’s been replicated, or is on different servers, or there’s backup, so who knows if it’s actually ever possibly even deleted?” Hamerstone said.

This doesn’t mean it’s not worth trying to have that data deleted, and it doesn’t mean you should wait and see how the bankruptcy unfolds. “Any kind of highly personal data that you can get deleted at any time, you should go for it,” Hamersone added.

It’s worth noting, though, that 23andMe had a data breach in 2023, so some of this health and ancestral data is already leaked.

Johnson is also unsure if deleting your data means it will totally go away, but said it’s worth a try; while 23andMe’s privacy policy says they won’t sell your data, this doesn’t mean that the company who potentially buys 23andMe also won’t sell your data.

“At this point in time, if your data is part of an asset purchase, if your data is part of a merger and acquisition, it most likely has already been transferred in an aggregate, de-anonymized form of fashion to a third party for analysis on valuing the company and valuing it in bankruptcy,” Pierson said.

This is most likely not full health records, but instead de-anonymized information in which the identifier like your full name and address is removed, he explained. And, it’s likely this has already been done as part of the bankruptcy proceedings.

There isn’t much you can do about this at this point in time, “as a part of almost all privacy policies, there’s merger and acquisition language that is included, and that language is meant to allow for certain types of data to be transferred during those types of business processes. So that’s already all there and all part of what people have agreed to as a part of using the service,” noted Pierson.

“These are all going to be business-marker type of information, as opposed to specifics about any one person or individual,” said Pierson.

“Every single time we try to do something new with technology, there is a positive and a negative aspect to it. And we hope that, in the long run, the positive outweighs the negative,” said Johnson, “but sometimes, like this, there’s the thing you didn’t really think about. And bluntly, when I first gave the data to 23andMe, I didn’t consider the risk of them selling the company.”

Moving forward, it’s important to consider the benefit you expect to get from new technology and if it’s worth potential cybersecurity risks.

For those who connected with long-lost family or learned important genetic health information from 23andMe, it likely was worth the risk. But, for someone who just used the service for fun, it may not have been worth it.

“Did it outweigh the risk of this happening for you? That’s the question you need to ask yourself,” Johnson said.

As for the sites you’ve already signed up for, consider the data they already have. Particularly think about the DNA data that may be out there on other sites, such as Ancestry.com, Johnson said. If you’re worried about your DNA data on 23andMe, it’s worth being concerned about it on other sites, too.