Bankruptcy Court Approves Sale of 23andMe
A federal bankruptcy court has approved the sale of direct-to-consumer genetic testing company 23andMe to TTAM Research Institute. TTAM was founded by former 23andMe CEO Anne Wojcicki to purchase 23andMe, and will acquire the company after tabling a successful $305 million bid. Under the deal, TTAM will acquire substantially all of 23andMe’s assets, including the 23andMe Personal Genome Service and Research Services business lines, as well as the Lemonaid telehealth business.
Regeneron Pharmaceuticals had previously bid $256 million for the company, winning an auction after outbidding TTAM, which had initially bid $146 million. Regeneron indicated it would be submitting a further bid if it received a $10 million breakup fee should TTAM’s bid be accepted, but declined to submit a higher bid. Wojcicki is now set to regain control of the company she co-founded, with the deal expected to be closed in the coming weeks.
Privacy concerns had been raised about the sale of 23andMe over the transfer of the personal and genetic data of 23andMe customers to a different company. Potentially, a purchaser could use consumer data in unscrupulous ways or disclose the data to third parties in violation of the consumers’ consent, which was provided when they signed up for the 23andMe service.
A coalition of 27 states and DC filed a lawsuit against 23andMe to prevent the sale of consumers’ genetic data unless explicit consent was obtained from consumers. Several state Attorneys General advised consumers to request their genetic data be deleted and their biological samples destroyed, although only around 2 million individuals out of its 15 million customers have chosen to do so.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
TTAM has agreed to abide by the existing privacy policies of 23andMe, and claims it will implement further protections and privacy safeguards to ensure consumer data is kept private and confidential. TTAM has agreed to notify customers in advance of the closure of the deal, and has promised not to sell or transfer genetic data should the company be sold again or ownership be transferred, unless the new owner agrees to adopt TTAM’s privacy policies.
Within 90 days of the closure of the deal, a consumer privacy board will be established, and new privacy procedures will be adopted, including notifying customers of any material changes, mitigating data breaches, and submitting annual reports to state attorneys general, should they be required. Customers will also be offered two years of complimentary identity theft monitoring services. 23andMe previously had a policy of sharing de-identified data with third parties for scientific and biomedical research, and will continue to do so.
“I am thrilled that TTAM will be able to build on the mission of 23andMe to help people access, understand, and benefit from the human genome. As a nonprofit, TTAM will be a champion of improving our knowledge of DNA – the code of life – for the public good, creating a resource to advance human health globally,” said Wojcicki. “Core to my beliefs is that individuals should be empowered to have choice and transparency with respect to their genetic data and have the opportunity to continue to learn about their ancestry and health risks as they wish. The future of healthcare belongs to all of us.”
UK Data Regulator Fines 23andMe for Privacy Violations
Last month, the UK’s Information Commissioner’s Office (ICO) announced that a £2.31 million fine ($3.1 million) had been imposed on 23andMe to resolve serious privacy and security violations related to a 2023 hacking incident and data leak. Hackers gained access to the data of 7 million customers, including 155,592 individuals in the UK, through a credential stuffing campaign.
The hacking incident and data breach were investigated by the ICO and the Office of the Privacy Commissioner of Canada, which identified several serious security failures. There was determined to be a lack of appropriate authentication and verification, including no mandatory multi-factor authentication, secure password protocols, or unpredictable usernames. 23andMe was also determined to have failed to implement appropriate controls for accessing raw genetic data, and there were ineffective systems for monitoring, detecting, and responding to cyber threats targeting its customers’ sensitive information. The latter resulted in a four-day delay in disabling user sessions and performing password resets, and its DNA download feature was not disabled until a month after the incident. Due to the bankruptcy, 23andMe requested that a fine be waived; however, due to the financial turnover of the company, ICO proceeded to imposed a financial penalty.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us: Once this information is out there, it cannot be changed or reissued like a password or credit card number,” John Edwards, UK Information Commissioner, said. “23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”
June 11, 2025: Congress Grills 23andMe on Data Privacy as States Take Legal Action Over Company Sale
Earlier this week, the House Committee on Oversight and Government Reform held a hearing on the sale of the direct-to-consumer genetic testing company 23andMe. At the hearing, titled, Securing Americans’ Genetic Information: Privacy and National Security Concerns Surrounding 23andMe’s Bankruptcy Sale, Congress members expressed serious national security and privacy concerns over the sale, which includes the business and its vast database of genetic information.
Last month, the biotechnology company Regeneron Pharmaceutics announced that it had entered into an asset purchase agreement to acquire 23andMe; however, 23andMe founder, Anne Wojcicki, requested the federal bankruptcy court reopen the auction, claiming she had the financial backing of an unnamed Fortune 500 company that had a current market capitalization of more than $400 billion, $17 billion in cash, and a serious interest in participating in the sale, but only with her nonprofit group, the TTAM Research Institute.
Wojcicki claimed that her nonprofit group had been unfairly excluded from the bidding process, as 23andMe capped her group’s bid at $250 million due to concerns about the group’s financial position. According to Wojcicki, TTAM was prepared to submit a bid of up to $280 million, but the auction was concluded before TTAM could submit a higher bid. On June 4, 2025, the bankruptcy court reopened the auction, and TTAM submitted a bid of $305 million, trumping Regeneron’s bid of $256 million. Regeneron is permitted to submit a further bid, provided it exceeds TTAM’s bid by $10 million, then final offers can be submitted, and the buyer will be decided.
As previously reported by The HIPAA Journal (below), Regeneron provided assurances that it is committed to respecting 23andMe’s privacy policies and all applicable laws with respect to the genetic database. According to court filings, Regeneron stated that it is “preparing to work with regulators, among others, to assure all interested stakeholders that 23andMe will be in safe hands and will not face the data breach issues that plagued it in the past.”
With the battle to gain ownership of 23andMe continuing, the House committee grilled 23andMe interim CEO Joseph Selsavage and former CEO Wojcicki on the company’s data security measures and privacy practices, including the hacking incident in 2023 that involved unauthorized access to the data of almost 7 million of its customers.
Members voiced their concern about the potential acquisition of data by foreign adversaries such as the Chinese Communist Party (CCP). “To whoever ends up controlling the company, there are serious concerns about what will happen to this private information. How will it be stored? Could it end up in the hands of a foreign adversary—through direct investment or indirectly through future partnerships?” said Chairman James Comer (R-KY.). “All of this raises questions about whether Congress needs to take action to ensure the safety of Americans’ personal genetic data.”
Chairman Comer went on to say, “It is well-known that the CCP engages in mass surveillance and has conducted dangerous activities to advance bioweapons, both used against its critics. It is imperative that 23andMe, and other companies like it, ensure there is absolutely no legal or illegal way for foreign adversaries or anyone else to access, manipulate, and abuse Americans’ genetic data to advance their nefarious agendas.”
At the hearing, Representative Tim Burchett (R-TN) said 23andMe had secured millions in investments, including from the Chinese investor WuXi Healthcare Ventures, which invested $10 million in 23andMe in 2015. Wojcicki confirmed the investment, but said she was unaware that WuXi Healthcare Ventures had direct ties to the CCP and Chinese People’s Liberation Army at the time the investment was made.
Selsavage explained that the company is committed to ensuring that consumers’ data will be protected. “Let me say, as part of the bankruptcy process, we have committed [that] under no circumstances will we sell this sensitive data to foreign adversaries such as China, Russia, or North Korea.”
Several state attorneys general have advised customers to request that 23andMe destroy their biological samples and delete their genetic data. At the hearing, Selsavage was accused of making it difficult for customers to delete their data. As previously reported, customers have complained that they have been prevented from submitting a request due to problems with the 23andMe website. Selsavage confirmed that approximately 15% of its 15 million customers, around 1.9 million people, have submitted requests for data deletion and sample destruction since news of the bankruptcy broke in March.
Committee members concluded that 23andMe and all companies must ensure that foreign adversaries and hostile private entities are prevented from accessing, manipulating, or exploiting Americans’ DNA, and that Congress needs to take action to ensure Americans’ privacy and safeguard their genetic data.
State Attorneys General File Lawsuit to Block 23andMe Data Transfer Without Customers’ Consent
The same day as the hearing, a lawsuit was filed against 23andMe Holding Co. and 23andMe Inc., in the United States Bankruptcy Court for the Eastern District of Missouri, Eastern Division, by a coalition of 28 State Attorneys General. The lawsuit seeks to prohibit the sale of 23andMe to the highest bidder, claiming the company lacks sufficient rights to control and transfer customers’ biological material and their genotype and phenotype data to a third party. In order for the sale to proceed, the Attorneys General want an order from the court requiring 23andMe to obtain explicit consent from each customer authorizing the transfer of their genetic information and biological samples to a third party.
The State Attorneys General argue that 23andMe has not obtained consent to sell customers’ data, pointing out that prior to June 8, 2022, the company’s privacy policy stated that “23andMe will not sell, lease, or rent your individual-level information to a third party for research purposes without your explicit consent.” At the hearing, Selsavage stated that customers had already provided consent to the transfer of their data as part of the consent they gave to 23andMe when they signed up for the service.
While the personal information and genetic data held by 23andMe would be classed as protected health information under HIPAA if collected and held by a HIPAA-covered entity, HIPAA does not cover the genetic data collected by direct-to-consumer genetic testing companies. There have been calls for HIPAA to be expanded to cover healthcare data that currently falls into this regulatory gray area, but all efforts to expand HIPAA or introduce new legislation to plug the regulatory gap have so far been unsuccessful.
May 22, 2025: Regeneron Pledges to Ensure Data Privacy in $256 Million 23andMe Deal
Following a successful bid in the bankruptcy auction, the pharmaceutical firm Regeneron Pharmaceuticals is set to purchase the direct-to-consumer DNA testing firm 23andMe in a $256 million deal, pending approval from regulators and the bankruptcy court.
23andMe went public in 2021, but the company has been struggling to make the business profitable. CEO and co-founder Anne Wojcicki attempted a buyout in April 2024, but the proposal was rejected by the board. She has now resigned as CEO, although she remains on the board. In March 2025, 23andMe filed for Chapter 11 bankruptcy protection and announced that the company was planning to sell substantially all of its assets. In the bankruptcy filing, 23andMe said it had assets worth $277.42 million and $214.7 million in debts.
The deal proposed by Regeneron includes the 23andMe Personal Genome Service and Total Health and Research Services, but not 23andMe’s telehealth subsidiary, Lemonaid Health, which 23andMe was planning to wind down. Regeneron plans to retain all current 23andMe employees and will operate 23andMe as a wholly-owned subsidiary, with all of 23andMe’s consumer genome services continuing uninterrupted.
“We believe we can help 23andMe deliver and build upon its mission to help people learn about their own DNA and how to improve their personal health, while furthering Regeneron’s efforts to improve the health and wellness of many,” said Regeneron co-founder, board co-chair, and Chief Scientific Officer George Yancopoulos.
Included in the deal is the 23andMe Biobank and the genetic data 23andMe’s customers. 23andMe claimed to have around 15 million customers, although with a sale pending and the perceived privacy risks from another company obtaining customers’ genetic data, state attorneys general urged customers to request that their biological samples be destroyed and their genetic data be deleted. It is unclear to what extent customers have requested sample destruction and data deletion.
“We assure 23andMe customers that we are committed to protecting the 23andMe dataset with our high standards of data privacy, security, and ethical oversight and will advance its full potential to improve human health,” said Aris Baras, Regeneron’s senior vice president. Regeneron intends to comply with 23andMe’s existing privacy policies and will only process customer data in line 23andMe’s terms of service and the consent obtained from its customers.
“We are pleased to reach an agreement with a science-driven partner that maintains our team and helps ensure our mission will carry forward,” said Joe Selsavage, Interim Chief Executive Officer of 23andMe. “With the support of Regeneron and their deep experience in genetic sequencing, testing, and discovery, we look forward to continuing to help people access and understand the human genome for the benefit of customers and patients.”
Before the deal can go ahead, an independent, court-appointed privacy ombudsman must review the transaction to assess how the acquisition could affect the privacy of 23andMe customers. The ombudsman’s report is due to be provided to the bankruptcy court by June 10, and a hearing has been scheduled for June 17 to determine if the sale can proceed. If the deal goes ahead, it is expected to close in the third quarter of 2025.
April 4, 2025: FTC: 23andMe Buyer Must Abide by Company’s Past Privacy Promises
The Federal Trade Commission (FTC) has written to the 23andMe bankruptcy trustees to advise them that the sale of the company and its assets must be consistent with the company’s past pledges to consumers about the privacy and security of their personal and genetic data and biological samples.
Last month, 23andMe announced that it had entered Chapter 11 bankruptcy proceedings and had asked the court to arrange the sale of the company, including any assets owned by the company. 23andMe is a direct-to-consumer genetic testing company that conducts genetic testing of DNA obtained from saliva samples. Concerns have been raised about the sale of the company, which will include consumers’ personal and genetic data and biological samples. State Attorneys General in California, New York, Massachusetts, and Iowa have issued consumer alerts, advising past users of 23andMe’s services to take steps to protect their data, including requesting that 23andMe delete their data and destroy their test samples.
“As 23andMe goes bankrupt, Iowans should know how to keep their DNA off the market,” said Iowa Attorney General Brenna Bird. “The power is in Iowans’ hands to protect their unique and valuable genetic information. By taking a few simple steps, residents can control how their data is used, stored, or shared.”
Following the announcement, 23andMe confirmed that “any buyer of 23andMe will be required to comply with our privacy policy and with all applicable laws with respect to the treatment of customer data.” While the statement was issued to reassure 23andMe customers, there is widespread concern about data privacy. Due to the number of individuals attempting to submit requests to delete their data, the 23andMe website has been experiencing technical difficulties, making it difficult to submit a request for data deletion.
FTC Chairman, Andrew N. Ferguson has responded to the announcement to express his concerns about consumer privacy. In his letter, Ferguson explained that user data may be considered an asset that could be sold, and reminded 23andMe of its past commitments to ensure the privacy of consumer data and their biological samples.
“As you may know, 23andMe collects and holds sensitive, immutable, identifiable personal information about millions of American consumers who have used the Company’s genetic testing and telehealth services. This includes genetic information, biological DNA samples, health information, ancestry and genealogy information, personal contact information, payment and billing information, and other information, such as messages that genetic relatives can send each other through the platform,” explained Ferguson.
Ferguson explained that the company has previously promised, and continues to promise, that user privacy and choice are at the forefront of its business model, and consumers have been told that they are in control of their data and can decide how it can be used and for what purposes. They also have the right to request that their data and samples be deleted.
Ferguson said 23andMe has stated that personal information will not be shared with insurance companies, employers, public databases, or law enforcement without a court order or subpoena, and that consumers have been promised that their genetic information will not be shared with any third parties, although in the event of a bankruptcy, merger, or acquisition, personal data may be sold, accessed, or transferred to a third party as part of that transaction.
Ferguson said the FTC believes that these promises to consumers must be kept, and that any data or biological samples that are transferred in relation to the sale will still be subject to the representations the company has previously made regarding data privacy and security. “Any purchaser should expressly agree to be bound by and adhere to the terms of 23andMe’s privacy policies and applicable law, including as to any changes it subsequently makes to those policies,” Ferguson said.
March 24, 2025: Genetic Testing Company 23andMe Files for Bankruptcy
The direct-to-consumer genetic testing company 23andMe has announced it has entered Chapter 11 bankruptcy and has asked the US Bankruptcy Court for the Eastern District of Missouri to facilitate a sale to maximize the value of its business.
23andMe provides saliva-based DNA test kits to help customers identify and track their ancestry. The company was successful initially and went public in 2021 via a merger with a Special Purpose Acquisition Company (SPAC) and had a market capitalization of $6 billion. In February 2021, the company had its highest end-of-day stock price of $353.0; however, the share value has been tumbling since, reaching a low of $1.27 in early March 2025. In 2023, the company was hit with a damaging data breach. While there was no breach of 23andMe systems, a hacker was able to access accounts and steal the sensitive data of around half of its customers – 7 million individuals. 23andMe faced intense scrutiny over the data breach, with data protection regulators in the United Kingdom and Canada launching investigations. 23andMe also faced multiple lawsuits over the breach and negotiated a $30 million settlement to resolve the consolidated class action litigation.
23andMe CEO and co-founder Anne Wojcicki has been attempting a buyout since April last year, but the board rejected the proposal. She has now resigned and will attempt to purchase the company and take it private, and is convinced 23andMe is still a viable business. There is no guarantee that Wojcicki will be able to raise the necessary funds, and there may be other potential buyers. Should another buyer obtain the company, they will have access to the genetic data of 15 million people, which will include their genetic, ancestry, and family connections as well s any personal information provided to create their account.
CEO chair, Mark Jensen, said “We are committed to continuing to safeguard customer data and being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction.” U.S. users of the 23andMe service have a degree of protection under the Genetic Information Nondiscrimination Act (GITA), as their genetic data cannot be used to make employment or health insurance decisions but there may be other ways that their data could be used.
California Attorney General, Rob Bonta, has reminded California residents that they have the right under the California Genetic Information Privacy Act to request 23andMe delete their data and destroy any samples of genetic material the company holds. “California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,” said Attorney General Bonta. “Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.”
Customers are able to exercise their rights by logging into their 23andMe account and requesting the deletion of data and destruction of samples in the data section, which is accessible via the settings menu. An email confirmation will be sent by 23andMe, and a response is required to verify the request before any data/samples will be deleted/destroyed. Deletion of data and samples will be permanent, although it should be noted that per 23andMe’s privacy policy, some data will be retained by 23andMe for an undisclosed amount of time to comply with the company’s legal obligations.
“With 23andMe facing bankruptcy, there are serious concerns about what happens to millions of users’ genetic and personal health information. This isn’t just a typical data set; it includes deeply sensitive, immutable biological data that can be tied to individuals and their families for generations. Unlike a password or credit card number, you can’t change your DNA,” said Ensar Seker, CISO at SOCRadar. “The bottom line is that 23andMe’s bankruptcy shouldn’t just be seen as a business failure. It’s a data stewardship crisis. Regulators, privacy watchdogs, and even national security agencies should step in to ensure that this dataset doesn’t fall into the wrong hands. Transparency, oversight, and ethical responsibility are now more important than ever.”
