Chapter 14: They Sold Your DNA Without Asking You
In October 2023, a hacker using the alias "Golem" posted one million stolen genetic profiles on a dark web forum. Every single profile belonged to a person of Ashkenazi Jewish descent. The price tag was one dollar per person. A few days later, the same hacker uploaded hundreds of thousands of profiles belonging to people of Chinese ancestry, offered at similar prices.
The stolen data came from 23andMe, the company where 15 million Americans had mailed their saliva, answered deeply personal health questions, and trusted a corporation to guard the most permanent information a human body produces. Within eighteen months, the company filed for bankruptcy. And the DNA of every one of those 15 million people became an asset in a corporate fire sale.
You need to sit with this for a moment. One dollar. Your genetic code, your ancestry, your health risks, your family connections going back generations, all of these things were worth less than a cup of gas station coffee to a criminal on the internet.
This story is about far more than a single company falling apart. The most personal information your body produces has no dedicated federal law protecting the people who hand their DNA over to private businesses. Companies holding your genetic material face almost no legal obligation to keep your data safe when they go broke. And your genetic data does not belong solely to you. Your spit in a tube exposed your parents. Your children. Your cousins and half siblings and distant relatives you have never met. None of them consented to a thing.
If you have ever taken a direct to consumer DNA test, or if anyone in your biological family has, this chapter will show you exactly what happened to all of the data, who wants access to your genetic information, and what you need to do about the situation right now.
What Your Spit Tube Actually Surrenders
When you mail a saliva sample to a company like 23andMe, AncestryDNA, or MyHeritage, you are sending them approximately three billion base pairs of genetic code. This is the complete biological blueprint of who you are, encoded in every cell of your body. Most of these companies run your saliva through something called an SNP genotyping array, which reads between 600,000 and 700,000 specific genetic markers. Those markers represent a tiny fraction of your full genome, roughly 0.03 percent. Through a computational process called imputation, the companies fill in the gaps and infer millions of additional data points about you, essentially building a far more detailed picture of your biology than the raw analysis alone would produce.
The genetic readout is only the starting line. These companies also collect your answers to detailed health surveys, questions about your medical conditions, your lifestyle habits, your family medical history, and your physical traits. 23andMe built what the company described as "billions of phenotypic data points" from the roughly 80 percent of customers who opted into research. On top of all of this, the companies store your name, your email address, your date of birth, your ethnicity, your billing information, and your browsing behavior tracked through cookies and marketing tools. A 2021 Consumer Reports investigation found these companies "over collect personal information" and deploy marketing trackers with the potential to reveal sensitive health conditions.
Here is the part most people miss when they think about a DNA test. You are not handing over something you get to take back. Your genetic code stays the same from the moment you are born until long after you die. No reset button exists. No replacement copy arrives in the mail. Your DNA passes through your bloodline for generations. And researchers have shown as few as 30 genetic markers are enough to single out one individual from the rest of the human population.
Think about what this means for your family. A landmark 2018 study found a genetic database covering just 2 percent of a target population provides enough information to find a third cousin match to almost any individual in the group. So when one person in your family decides to take a DNA test, the decision effectively enrolls your entire extended family in a genetic database without their knowledge. Your grandmother, your nephew, your second cousins. Nobody asked them. Nobody told them. The European Union recognized this problem by defining a new category called a "biological group," one whose members come into existence every time genetic data gets processed and whose members never chose to join.
And deletion is never as clean as the companies suggest. When you close your 23andMe account, the company still keeps your genetic information, date of birth, and sex for what the company calls regulatory compliance. Data already folded into research studies is gone from your control forever. MIT Technology Review asked 23andMe to explain exactly what "retained genetic information" means after account deletion. The company pointed them to a privacy policy and refused to say anything more. You spit in a tube thinking you were learning about your ancestry. What you actually did was hand over data the company now refuses to fully describe or fully delete.
From Six Billion Dollars to Bankruptcy Court
The story of 23andMe's collapse reads like a warning label nobody bothered to print. Anne Wojcicki founded the company in 2006. The company went public in June 2021 through a special purpose acquisition at a valuation of roughly 3.5 billion dollars. The stock briefly pushed the market value to six billion dollars, peaking near $17.65 per share. The company never earned a profit. Not once. Not in a single quarter of a single year since founding.
The business model was fatally simple. A DNA test kit is a one time purchase. Once you buy one, you are done. There is no subscription. There is no refill. As the novelty wore off and the market filled up, revenue dropped from about $299 million in fiscal year 2023 to approximately $255 million in fiscal year 2024. Net losses hit $667 million in the same period. A five year exclusive partnership with GlaxoSmithKline, which had included a $300 million investment and produced around 50 drug discovery programs, ended. Cash reserves drained from $314 million in mid 2023 to $127 million by September 2024.
Then the breach ripped through the company. Between April and September 2023, hackers used a technique called credential stuffing, where criminals take stolen passwords from other websites and try them on new accounts, to break into about 14,000 individual 23andMe profiles. Because of the company's DNA Relatives feature, which links customers to their biological matches, the hackers scraped data on roughly 6.9 million users. Nearly half the entire customer base. The data appeared on dark web forums with disturbing ethnic specificity, including the "Golem" posting targeting Jewish and Chinese Americans. The company took five months to detect the intrusion. When 23andMe finally responded, the company blamed its own customers for reusing passwords. The response drew widespread condemnation from cybersecurity experts, consumer advocates, and elected officials.
The fallout was swift. In September 2024, Nasdaq warned the stock would be delisted because the share price had fallen below one dollar. On September 17, 2024, all seven independent board members resigned on the same day, including Sequoia Capital's Roelof Botha and YouTube CEO Neal Mohan. Their joint resignation letter cited Wojcicki's concentrated voting power of 49 percent and the absence of any real plan to rescue the company. A reverse stock split in October briefly propped up the share price. In November, 200 employees lost their jobs, slashing the workforce by 40 percent and leaving roughly 300 people at a company once employing thousands.
On March 23, 2025, 23andMe filed for Chapter 11 bankruptcy, listing $277 million in assets and $214.7 million in debts. Wojcicki stepped down as CEO and immediately positioned herself as a buyer. What followed became the most consequential data privacy fight in the history of American bankruptcy law.
Your DNA on the Auction Block
The bankruptcy sale process turned the genetic data of 15 million Americans into a contested asset on an auction floor. Regeneron Pharmaceuticals won the initial bid at $256 million for substantially all of 23andMe's assets, including the full genetic database and the biobank of physical saliva samples. Wojcicki's newly created nonprofit, TTAM Research Institute (the initials stand for Twenty Three And Me), challenged the result, secured a reopened auction through her attorneys at Quinn Emanuel, and ultimately prevailed on June 13, 2025 with a $305 million offer.
The court appointed Consumer Privacy Ombudsman, Washington University professor Neil Richards, filed a remarkable report two days before the auction closed. He wrote he was unable to determine whether the sale of customer data was consistent with the company's own privacy policies. He recommended the court require the buyer to get fresh consent from every customer before the transfer. The court declined to follow his recommendation.
On June 27, 2025, Judge Brian C. Walsh approved the sale. He used a legal structure called an "equity toggle" placing the company's assets into a subsidiary, then selling the subsidiary's equity to TTAM. The court ruled this structure did not qualify as a "transfer" of data, which would have triggered consent requirements under state genetic privacy laws. The judge acknowledged the sale was, in his own words, "a scary proposition." He noted lawmakers had simply never prohibited this type of arrangement. TTAM completed the acquisition on July 14, 2025. The company was renamed Chrome Holding Co. in bankruptcy proceedings, and most of the Chapter 11 cases were closed on January 21, 2026.
During the bankruptcy proceedings, 1.9 million customers, roughly 15 percent of the total, rushed to request deletion of their genetic data. The flood of requests crashed 23andMe's website for hours. A class action settlement over the original data breach was finalized at up to $50 million, with a claims deadline of February 17, 2026 and payouts still pending as of March 2026. The UK's Information Commissioner fined the company an additional 2.31 million pounds for the breach.
Washington Wakes Up, Slowly
The 23andMe crisis crashed into an already growing panic in Washington about foreign governments systematically acquiring American genetic data. The collision produced a wave of federal action, some of the measures meaningful, some of the bills still stuck in committee.
The most significant regulatory response was the DOJ Bulk Data Rule, implementing Executive Order 14117, signed by President Biden on February 28, 2024. The final rule took effect on April 8, 2025 and prohibits or restricts bulk transfers of Americans' sensitive personal data to six designated countries of concern: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela. For genetic data specifically, the rule sets the lowest trigger threshold of any data category. Any transfer involving 100 or more U.S. persons' genomic data or biological samples falls under the prohibition. For comparison, personal health data and financial data each require 10,000 persons to trigger the same rule. The extraordinarily low number tells you how seriously the Department of Justice treats genetic information.
The rule applies regardless of whether the data has been anonymized, encrypted, or scrubbed of identifying details. The DOJ concluded even data stripped of names and addresses, when combined in large quantities, gives hostile governments the ability to identify specific individuals and carry out targeted operations. Deputy Attorney General Todd Blanche put the logic plainly: "If you're a foreign adversary, why would you go through the trouble of complicated cyber intrusions and theft to get Americans' data when you just buy the data on the open market?" Enforcement began on July 8, 2025 after a 90 day grace period, with additional compliance requirements including mandatory audits and annual reporting kicking in on October 6, 2025.
These concerns are grounded in real cases, not speculation. China's BGI Group, the Beijing Genomics Institute, has been designated by the Department of Defense as a Chinese military company operating in the United States. BGI subsidiaries were sanctioned in 2023 for using genetic analysis to support China's repression of Uyghur populations. BGI also harvested genetic data from over eight million pregnant women in Europe through prenatal tests marketed to hospitals, without disclosing the data was being routed to China and used in research with the People's Liberation Army. Another Chinese company, WuXi AppTec, which generates over 60 percent of revenue from U.S. clients, has sponsored events with China's military and jointly operated genetic collection sites with PLA entities. The BIOSECURE Act, signed into law on December 18, 2025, now prohibits federal agencies from contracting with biotechnology companies identified as national security threats, with BGI entities already on the designated list.
At the June 2025 Senate Judiciary hearing on the 23andMe bankruptcy, Senator Grassley warned foreign governments holding large genetic databases gain the ability to track military and intelligence personnel, monitor ethnic minority populations, plant DNA evidence to frame individuals, and conduct intelligence operations falling into what one analyst described as "gray zone" geopolitical conflict. A 2025 Bulletin of the Atomic Scientists assessment found ethnicity targeted bioweapons remain "exceptionally challenging" because human populations are genetically diverse and blended through centuries of intermarriage. The most immediate and realistic dangers center on surveillance, identification, and intelligence exploitation of American genetic data by adversary nations.
Congress introduced three bills directly in response to the 23andMe crisis. The Genomic Data Protection Act, introduced in March 2025 by Senators Bill Cassidy and Gary Peters, would give consumers the right to access, delete, and request destruction of their genetic data and biological samples within 30 days. The Don't Sell My DNA Act, introduced in May 2025 by Senators Chuck Grassley, John Cornyn, and Amy Klobuchar, would rewrite the federal Bankruptcy Code to explicitly treat genetic information as personally identifiable information and require written consent before any sale in bankruptcy.
As Senator Grassley stated at the June 2025 hearing, "Genetic data is the blueprint to a person. It is sensitive, it is personal, and in the wrong hands, it is dangerous." The American Genetic Privacy Act of 2025, introduced in March 2025 by Representative Tim Burchett, would prohibit the sale or disclosure of DNA testing data to China or Chinese controlled entities. As of March 2026, all three bills remain in committee. Not one has reached a floor vote.
Your Protection Depends on Your Zip Code
Because Congress has not passed a dedicated federal genetic privacy law, the states have become the front line. The result is a patchwork of protections varying wildly depending on where you live. More than 15 states have enacted dedicated genetic privacy laws as of early 2026, with several more introducing bills explicitly in response to the 23andMe collapse.
Montana has arguably built the strongest genetic privacy framework in the country. The state's Genetic Information Privacy Act, first enacted in 2023 and expanded in May 2025, requires a warrant before any government agency accesses genetic data. The law mandates genetic data of Montana residents be stored within the United States. Express consent is required for collection and all secondary uses. The 2025 expansion also extended protections to neurotechnology data, making Montana one of only three states protecting neural information.
Indiana's law, signed in May 2025, includes a provision going further than any other state. The statute absolutely prohibits consumer genetic testing companies from sharing individual genetic data with insurers, employers, or risk assessment businesses. No exceptions. No consent workaround. Civil penalties run up to $7,500 per violation.
Texas broke new ground in 2023 by establishing individual property rights in genetic samples and data, treating your DNA as property you own, not merely as regulated information. The 2025 Texas Genomic Act added national security protections, banned genetic data transfers to adversary nations during bankruptcy, prohibited the use of genome sequencing equipment produced by foreign adversaries, and created a private right of action allowing individuals to sue for up to $5,000 per violation.
Illinois has the oldest dedicated genetic privacy statute, dating to 1998, and carries the steepest penalties: $15,000 per intentional violation and $2,500 per negligent violation. A wave of more than 50 complaints in 2023 alone activated a law dormant for 25 years.
California layers multiple protections through its Genetic Information Privacy Act, the CCPA, and CalGINA, which extends anti discrimination protections to housing, education, and mortgage lending.
Maryland's 2025 Genetic Testing Protection Act fills a critical hole in federal law by prohibiting insurers from discriminating based on genetic test results in life insurance, long term care insurance, and disability insurance.
Several states are pushing even further.
South Carolina's proposed SB 731 would establish a private right of action with no exemption for so called de identified data, reflecting the growing recognition genetic data simply is not something you strip of identifiers and call safe. Alabama's proposed HB 265 would make the unauthorized sale of genetic data a Class C felony. The trend is unmistakable. The 23andMe crisis lit a fire under state legislatures across the country, and the bills keep coming.
The Federal Law Leaving You Exposed
The Genetic Information Nondiscrimination Act, known as GINA, was signed into law in 2008. Most Americans who have heard of the statute assume their genetic information is fully protected. GINA prevents health insurers from using genetic information in underwriting decisions. The law also stops employers with 15 or more workers from using genetic data in hiring, firing, or promotions. Those are real protections, and they matter.
Here is what GINA does not cover. Life insurance. Disability insurance. Long term care insurance. These are exactly the types of coverage where a person's genetic risk profile carries the most weight, and where the financial incentive to discriminate runs the deepest.
The threat is not hypothetical. A woman identified as Jennifer Marie in a report by Fast Company was denied life insurance at 36 years old because she tested positive for a BRCA1 gene mutation, which is linked to elevated breast and ovarian cancer risk. Her denial letter specifically cited the genetic test result. Life insurers in most states face no legal barrier to requesting genetic test results, asking whether you have been tested, and factoring your answers into their underwriting decisions. The more you learn about your own genetic risks, the more vulnerable you become to discrimination in the very areas of insurance where coverage matters most.
The chilling effect is real and well documented. The NIH's National Human Genome Research Institute has found the absence of protection against genetic discrimination in life insurance has caused many people to avoid getting tested altogether. Others who do get tested refuse to share results with their own doctors, knowing once genetic information lands in a medical record, insurers reviewing future applications gain access.
Think about what this means for public health. People are choosing ignorance about their own cancer risk, their heart disease risk, their neurological risk, because our laws punish knowledge. They are making themselves sicker to avoid being uninsurable. Only a handful of states, including Florida, Oregon, and now Maryland, have extended nondiscrimination protections to life and long term care insurance. For the vast majority of Americans, the gap in GINA remains wide open.
When Your Cousin's DNA Test Helps Catch a Killer, and When Things Go Wrong
Genetic data also intersects with law enforcement in ways most Americans have never considered. The most famous case is the arrest of Joseph James DeAngelo, the Golden State Killer, in April 2018. Investigators uploaded crime scene DNA to GEDmatch, a free genealogy database, and found several third and fourth cousin matches. Four months of family tree reconstruction narrowed the search. Discarded DNA collected near DeAngelo's home confirmed the match. He pleaded guilty to 13 murders and received a sentence of life without parole. The technique has since helped solve more than 651 criminal cases. The power of the method is undeniable. So are the risks.
GEDmatch was acquired by Verogen in 2019, later purchased by QIAGEN for $150 million, and shifted to an opt in model for law enforcement searches. QIAGEN later discovered some forensic genealogy practitioners had systematically bypassed the opt in settings, accessing profiles of users who had specifically declined to participate and falsifying reports to hide the violations. FamilyTreeDNA took a different path entirely, quietly granting the FBI access to search a database of more than a million profiles starting in late 2018 and defaulting users to opt out rather than requiring them to opt in.
The case of Michael Usry Jr. shows what happens when the system produces a wrong answer. In 2014, investigators wrongly targeted Usry as a murder suspect because his father's donated DNA partially matched crime scene evidence in a genealogy database. After weeks of investigation and mounting anxiety, Usry's own DNA did not match. The actual killer was eventually identified through a proper forensic genetic genealogy process. Usry had done nothing wrong. His father had done nothing wrong. Someone in their biological orbit had volunteered DNA, and the decision sent law enforcement knocking on the wrong door. Usry spent weeks under suspicion for a murder he had nothing to do with, all because of a partial genetic connection he did not create and did not know existed.
The Attorney General Who Told Californians to Delete Their DNA
Two days before 23andMe filed for bankruptcy, California Attorney General Rob Bonta issued an urgent consumer alert telling the state's 23andMe customers to consider deleting their data and requesting destruction of their biological samples. The alert cited Californians' rights under the state's Genetic Information Privacy Act and the California Consumer Privacy Act. The notice included step by step deletion instructions. Bonta stated plainly, "Given 23andMe's reported financial distress, I remind Californians to consider invoking their rights."
Bonta's office backed up the words with action. In 2023, the office partnered with the FTC to take enforcement action against CRI Genetics, resulting in a $700,000 penalty for deceptive marketing practices. In April 2025, Bonta announced a bipartisan consortium of privacy regulators, including attorneys general from seven other states, to coordinate genetic privacy enforcement nationwide. California was among five states maintaining active opposition to the TTAM acquisition even after the bankruptcy court approved the sale, arguing the transfer violated state genetic privacy law because no consumer gave fresh consent.
The multi state response was extraordinary. Within days of the bankruptcy filing, attorneys general in more than a dozen states, including New York, Connecticut, Virginia, Massachusetts, Iowa, Washington, Missouri, and Pennsylvania, issued their own consumer alerts urging customers to delete their data. On June 9 and 10, 2025, a bipartisan coalition of 27 states and the District of Columbia, led by New York Attorney General Letitia James, filed a lawsuit in bankruptcy court to block the genetic data sale. James declared 23andMe "cannot auction millions of people's personal genetic information without their consent." The FTC Chairman sent a letter insisting the company's privacy promises must remain binding on any purchaser. Twenty eight attorneys general and the federal government's top consumer protection agency all lined up on the same side. The bankruptcy court approved the sale anyway.
What You Need to Do Right Now
If you have ever sent your saliva to a genetic testing company, you need to take action today. Not next week. Not when you get around to reading the fine print. Today.
Start by requesting deletion of your data. For 23andMe, which is now operated by TTAM Research Institute: log into your account, go to Settings, scroll to "23andMe Data," click "View," then click "Permanently Delete Data" and confirm through the email they send you. To destroy your physical saliva sample, change your storage preferences under "Preferences." To revoke your consent to research, go to "Research and Product Consents" in your account settings. For AncestryDNA: go to DNA Settings, click "Delete" next to "Delete DNA Test Results and Revoke Consent to Processing," or call their Member Services line at 801 705 7000. For MyHeritage: go to "Manage DNA Kits" in your account settings or contact their customer support team directly.
Before you delete anything, download a personal copy of your data first. Once you delete, the data is gone from your end permanently. The Consumer Reports Permission Slip app helps with deletion requests for some companies. Understand the hard truth here: data already shared with research partners in a form stripped of your name is beyond retrieval. One University of Iowa professor put the reality simply. "You are never going to find your information at whatever pharmaceutical companies have already received your data, because your name is no longer attached." The deletion you perform today removes your data from the company's active systems. The copies already out in the world are gone for good.
If you are thinking about taking a DNA test, know this before you spit in the tube. Clinical genetic testing through a healthcare provider falls under HIPAA protections; direct to consumer testing does not. Read the consent forms carefully, especially the research consent. Eighty percent of 23andMe customers signed away their research rights, many without understanding the scope of their agreement.
The Electronic Frontier Foundation recommends weighing whether the information you gain from a test justifies the permanent surrender of data defining your biological identity forever. Once your DNA is in the system, you do not get to decide what happens to the company holding your genetic blueprint ten years from now. Ask yourself: if the company goes bankrupt, gets acquired, or gets hacked, are you comfortable with a stranger owning the most personal information your body has ever produced?
Your legal rights depend on where you live. If you are in California, Montana, Indiana, Texas, Illinois, or Maryland, you have dedicated genetic privacy laws with real teeth. Indiana bans genetic testing companies from sharing your data with insurers and employers under any circumstances. Montana requires a warrant for law enforcement access. Illinois lets you sue for up to $15,000 per violation. If your state has no dedicated genetic privacy law, contact your state legislators and tell them you want one.
Tell your friends and family to do the same. Share this chapter. The 23andMe crisis proved voluntary corporate promises to protect your DNA are worth exactly as much as the company standing behind them. And when the company is gone, so are the promises.
Your Body. Your Data. Your Fight.
The 23andMe bankruptcy set a precedent echoing through every future corporate failure involving sensitive biological data. A bankruptcy court determined the genetic information of millions of people was eligible for transfer through a legal structure designed to sidestep state consent laws. The court appointed privacy expert told the judge he was unable to confirm the sale was consistent with the company's own privacy policies. The judge approved the sale anyway. Science journal warned the next case will likely involve a buyer completely unrelated to the original company, meaning even fewer protections for consumers.
No dedicated federal genetic privacy law exists in the United States. GINA, the closest thing we have, leaves life insurance, disability insurance, and long term care insurance completely uncovered. Three major bills introduced in direct response to the 23andMe crisis remain stuck in committee as of March 2026. State laws provide meaningful protection if you happen to live in the right state, and almost nothing if you do not.
Genetic privacy is different from every other privacy issue in this book because the stakes are permanent and the damage radiates outward in every direction. You are not going to reset your DNA. Your children, your siblings, your parents, and your cousins are exposed when your data is exposed, and none of them signed a consent form. The analytical value of your genetic data grows every year as science advances, meaning information collected today will reveal far more about you under tomorrow's technology than anyone predicts right now.
The companies Americans trusted with this information did not survive long enough to keep their promises. The legal system has not decided whether genetic data deserves a category of protection as unique as the data itself. The decision is still being made, in courtrooms, in state legislatures, and in Congress.
You have a voice in every one of those places. Use your voice. Talk to your family. Talk to your representatives. Because your DNA is the one thing about you never changing, and once someone else owns your genetic blueprint, you are never getting the information back.