Latest news with #SaraGerke
Yahoo
25-03-2025
- Business
- Yahoo
As 23andMe files for bankruptcy, what to know about protecting your data
With Sunday's announcement by genetic testing firm 23andMe that it has filed for bankruptcy, customers of the site may be wondering what will happen to their data and what, if anything, they can or should do to protect it. The company explained Sunday in a press release that it has entered a voluntary Chapter 11 restructuring and sale process, saying it intends to continue operations as normal, with no changes to how it stores, manages or protects customer data. The company also addressed data concerns in an open letter to customers posted Sunday on its blog. 'We remain committed to our users' privacy and to being transparent with our customers about how their data is managed,' it said. 'Any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data.' The company has been dealing with a wave of lawsuits after the personal data of about 7 million customers was accessed by hackers in 2023. In an article published earlier this month in the New England Journal of Medicine, three law professors expressed concerns that existing protections may not be enough, calling on Congress to do more to shield consumer data from such corporate changes. 'If 23andMe goes bankrupt, these data will most likely be sold to the highest bidder, a successor company that customers might not want to entrust with their genetic data,' the authors wrote, describing the issue as 'a structural problem in a legal system relying heavily on privacy policies to protect consumer data, while also treating those data as a valuable asset.' The company's consumer agreements offer little comfort, the authors wrote, as the company reserves the right to transfer customer data in the event of sale or bankruptcy, and customers can't fully protect their data from being 'accessed, sold or transferred as part of that transaction.' While the company's privacy statement would cover personal information transferred to a new owner after the sale, "the new entity could simply change the terms of service, including the privacy statement, and people might agree to it without reading these lengthy documents," said Sara Gerke, associate professor of law at the University of Illinois Urbana-Champaign and lead author of the Journal article. "Customers need to be proactive now and be aware of this issue until Congress intervenes to address this problem at the federal level." The genetic and self-reported data, including saliva samples and questionnaires, held by such companies represent some of people's most guarded information, including family history and health-related data. But such companies aren't covered under Health Insurance Portability and Accountability Act (HIPAA) requirements, the authors of the Journal article said. 'From a legal standpoint, people therefore interact with the company as 'consumers,' not 'patients,'' they wrote. While the Genetic Information Nondiscrimination Act prevents discriminatory use of such information by employers and health insurers, it doesn't cover uses by other parties, nor does it prevent companies like 23andMe from selling people's data. The U.S. lacks a comprehensive federal privacy law unlike the European Union's General Data Protection Regulation, created in 2018. While individual states such as California and Illinois have enacted their own privacy laws, enforcement is limited to those states. On March 21, California Attorney General Rob Bonta issued a consumer alert to the state's 23andMe customers given the company's financial distress, reminding them of their right to have their genetic data deleted. 'California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,' Bonta said. 'Given 23andMe's reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.' According to 23andMe's website, users can remove personal information by opting out of the 23andMe data section of account settings. The data is deleted once a user submits and confirms the request. However, 23andMe is legally required to retain certain information, it said. "23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth and sex as required for compliance with applicable legal obligations … even if you chose to delete your account," the company's privacy statement says. In a post on technology-focused 404 Media, Jason Koebler said the genetic data of millions of people is up for grabs. 'The filing shows how dangerous it is to provide your DNA directly to a large, for-profit commercial genetic database,' wrote Koebler, a co-founder of the site. 'Once you give your genetic information to a company like 23andMe, there is no way to have any clue what is going to happen to that data, how it is going to be analyzed, how it is going to be monetized, how it is going to be protected from hackers, and who it is going to be shared with for profit.' Mark Jensen, who chairs 23andMe's board of directors, said in a statement that the company decided a court-supervised sale was 'the best path forward to maximize the value of the business. … We believe in the value of our people and our assets and hope that this process allows our mission of helping people access, understand and benefit from the human genome to live on for the benefit of customers and patients.' 'We will seek to find a partner who shares our commitment to customer data privacy and allows our mission of helping people access, understand and benefit from the human genome to live on,' it said. Trending News/multimedia reporter Marley Malenfant contributed to this story. (This story has been updated to add new information.) This article originally appeared on USA TODAY: 23andMe bankruptcy: Is customer genetic data safe? Sign in to access your portfolio
Axios
25-03-2025
- Business
- Axios
23andMe bankruptcy underscores health privacy gaps
The demise of 23andMe illustrates the vulnerable state of Americans' health data, as med tech companies vacuum up more personal information with little regulatory oversight. Why it matters: Fitness trackers, wellness apps, genetic tests and other direct-to-consumer tools that capture personal health information aren't subject to federal health data privacy laws. That could open the door to fraud or discrimination. "We're getting into an era where we have more entities sitting on these big datasets," said Sara Gerke, an associate law professor at the University of Illinois Urbana-Champaign. Catch up quick: 23andMe filed for bankruptcy Sunday to facilitate a sale of the company, which has been in financial distress and saw its board of directors quit last year. That raises questions about what an acquiring company would do with the genetic and personal data of the more than 15 million people who have provided saliva samples for 23andMe's testing kits. Where it stands: 23andMe said in a release that the bankruptcy filing won't change the way it protects customer data and that data privacy will be a key consideration in a future sale. But as things currently stand, a buyer could change the privacy policy after the sale. Some consumer advocates have suggested people proactively remove their information from the company's files. California Attorney General Rob Bonta on Friday advised 23andMe consumers to take advantage of state privacy laws and ask the company to delete their data and destroy their genetic material. 23andMe's privacy policy states that it keeps certain genetic information to comply with legal requirements and other "limited information" related to your account, even if you delete it. Additionally, if data has already been used for research, it may only be partially removed, Gerke said. More than 80% of 23andMe customers consent to participate in research, according to the company. Zoom out: In reality, there isn't much federal protection for customer data shared with 23andMe, or other companies that circle the health care space but aren't actually health providers. The landmark health privacy law HIPAA only applies to health providers, insurers, clearinghouses and their business associates, leaving a big gap as the market for consumer and digital health gadgets grows. The Federal Trade Commission acts as a watchdog to make sure companies don't deceive consumers and act in accordance with the data privacy terms and conditions they've set up. But those privacy policies are "frequently long, lengthy documents written by lawyers that are hard to decipher," said Andrew Crawford, senior counsel of privacy and data at the Center for Democracy and Technology. At the end of the day, "there is no government law or regulator that is really saying this is what happens to this data, and this is what you have to do," noted Lisa Pierce Reisz, an attorney at Epstein Becker Green. States have tried to fill that gap, creating what's at best a patchwork health privacy system. 20 states have their own comprehensive consumer data privacy laws, according to Bloomberg Law. Washington and Nevada also have laws that specifically safeguard health data that falls outside of federal health privacy requirements. "I think we're going to see more of that, and that's going to be challenging, especially for companies that operate across states," said Shannon Britton Hartsfield, a partner at Holland & Knight. What we're watching: Federal lawmakers last year introduced a draft bipartisan data privacy bill, and efforts are underway in Congress this year to come up with legislation for a comprehensive privacy protections. But a national privacy law remains a long shot at the moment, said the University of Illinois' Gerke. Expanding the scope of HIPAA or the 2008 Genetic Information Nondiscrimination Act to apply to entities that collect genetic information could be an easier fix, she said. The bottom line: Once you give your personal information to a company, you lose some control over it, Pierce Reisz said.
USA Today
24-03-2025
- Business
- USA Today
As 23andMe files for bankruptcy, what to know about protecting your data
As 23andMe files for bankruptcy, what to know about protecting your data Show Caption Hide Caption 23andMe files for Chapter 11 bankruptcy 23andMe filed for Chapter 11 bankruptcy on Monday, planning to sell most of its assets under court supervision to manage financial troubles. Cheddar With Sunday's announcement by genetic testing firm 23andMe that it has filed for bankruptcy, customers of the site may be wondering what will happen to their data and what, if anything, they can or should do to protect it. The company explained Sunday in a press release that it has entered a voluntary Chapter 11 restructuring and sale process, saying it intends to continue operations as normal, with no changes to how it stores, manages or protects customer data. The company also addressed data concerns in an open letter to customers posted Sunday on its blog. 'We remain committed to our users' privacy and to being transparent with our customers about how their data is managed,' it said. 'Any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data.' Hackers and bankruptcy leave personal info vulnerable The company has been dealing with a wave of lawsuits after the personal data of about 7 million customers was accessed by hackers in 2023. In an article published earlier this month in the New England Journal of Medicine, three law professors expressed concerns that existing protections may not be enough, calling on Congress to do more to shield consumer data from such corporate changes. 'If 23andMe goes bankrupt, these data will most likely be sold to the highest bidder, a successor company that customers might not want to entrust with their genetic data,' the authors wrote, describing the issue as 'a structural problem in a legal system relying heavily on privacy policies to protect consumer data, while also treating those data as a valuable asset.' The company's consumer agreements offer little comfort, the authors wrote, as the company reserves the right to transfer customer data in the event of sale or bankruptcy, and customers can't fully protect their data from being 'accessed, sold or transferred as part of that transaction.' While the company's privacy statement would cover personal information transferred to a new owner after the sale, "the new entity could simply change the terms of service, including the privacy statement, and people might agree to it without reading these lengthy documents," said Sara Gerke, associate professor of law at the University of Illinois Urbana-Champaign and lead author of the Journal article. "Customers need to be proactive now and be aware of this issue until Congress intervenes to address this problem at the federal level." Treated as 'customers' not patients The genetic and self-reported data, including saliva samples and questionnaires, held by such companies represent some of people's most guarded information, including family history and health-related data. But such companies aren't covered under Health Insurance Portability and Accountability Act (HIPAA) requirements, the authors of the Journal article said. 'From a legal standpoint, people therefore interact with the company as 'consumers,' not 'patients,'' they wrote. While the Genetic Information Nondiscrimination Act prevents discriminatory use of such information by employers and health insurers, it doesn't cover uses by other parties, nor does it prevent companies like 23andMe from selling people's data. The U.S. lacks a comprehensive federal privacy law unlike the European Union's General Data Protection Regulation, created in 2018. While individual states such as California and Illinois have enacted their own privacy laws, enforcement is limited to those states. Customers can have their data deleted On March 21, California Attorney General Rob Bonta issued a consumer alert to the state's 23andMe customers given the company's financial distress, reminding them of their right to have their genetic data deleted. 'California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,' Bonta said. 'Given 23andMe's reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.' According to 23andMe's website, users can remove personal information by opting out of the 23andMe data section of account settings. The data is deleted once a user submits and confirms the request. But some data will remain available However, 23andMe is legally required to retain certain information, it said. "23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth and sex as required for compliance with applicable legal obligations … even if you chose to delete your account," the company's privacy statement says. In a post on technology-focused 404 Media, Jason Koebler said the genetic data of millions of people is up for grabs. 'The filing shows how dangerous it is to provide your DNA directly to a large, for-profit commercial genetic database,' wrote Koebler, a co-founder of the site. 'Once you give your genetic information to a company like 23andMe, there is no way to have any clue what is going to happen to that data, how it is going to be analyzed, how it is going to be monetized, how it is going to be protected from hackers, and who it is going to be shared with for profit.' Mark Jensen, who chairs 23andMe's board of directors, said in a statement that the company decided a court-supervised sale was 'the best path forward to maximize the value of the business. … We believe in the value of our people and our assets and hope that this process allows our mission of helping people access, understand and benefit from the human genome to live on for the benefit of customers and patients.' 'We will seek to find a partner who shares our commitment to customer data privacy and allows our mission of helping people access, understand and benefit from the human genome to live on,' it said. Trending News/multimedia reporter Marley Malenfant contributed to this story. (This story has been updated to add new information.)
Yahoo
24-03-2025
- Business
- Yahoo
As 23andMe files for bankruptcy, what to know about protecting your data in Michigan
San Francisco-based genetic testing firm 23andMe on Sunday announced that it has filed for bankruptcy, leaving customers wondering what will happen to their data and whether they can protect it — or even delete it. The company explained Sunday in a press release that it has entered a voluntary Chapter 11 restructuring and sale process, saying it intends to continue operations as normal, with no changes to how it stores, manages or protects customer data. The company also addressed data concerns in an open letter to customers posted Sunday on its blog. 'We remain committed to our users' privacy and to being transparent with our customers about how their data is managed,' the company said. 'Any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data.' 23andMe conducted ancestry DNR tests for customers, but MSU Extension notes DNA can be used for such things as paternity, genetic disease detection and other reasons. The company has been dealing with a wave of lawsuits after the personal data of about 7 million customers was accessed by hackers in 2023, compromising data in nearly 6.9 million DNA Relatives and Family Tree profiles. Leaked data included users' account information, location, ancestry reports, DNA matches, family names, profile pictures, birthdates and more. The company's privacy statement covers personal information transferred to a new owner after the sale, but "the new entity could simply change the terms of service, including the privacy statement, and people might agree to it without reading these lengthy documents," said Sara Gerke, associate professor of law at the University of Illinois Urbana-Champaign and lead author of the Journal article. "Customers need to be proactive now and be aware of this issue until Congress intervenes to address this problem at the federal level." The company's consumer agreements offer little comfort, the authors wrote, as the company reserves the right to transfer customer data in the event of sale or bankruptcy, and customers can't fully protect their data from being 'accessed, sold or transferred as part of that transaction.' The genetic and self-reported data, including saliva samples and questionnaires, held by such companies represent some of people's most guarded information, including family history and health-related data. But such companies aren't covered under Health Insurance Portability and Accountability Act requirements, the authors of the Journal article said. 'From a legal standpoint, people therefore interact with the company as 'consumers,' not 'patients,'' they wrote. While the Genetic Information Nondiscrimination Act prevents discriminatory use of such information by employers and health insurers, it doesn't cover uses by other parties, nor does it prevent companies like 23andMe from selling people's data. On March 21, California Attorney General Rob Bonta issued a consumer alert to the state's 23andMe customers given the company's financial distress, reminding them of their right to have their genetic data deleted. 'California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,' Bonta said. 'Given 23andMe's reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.' 23andme said it is "committed to continuing to safeguard customer dataand being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction.' Bonta, who sent out a "consumer alertfor 23andme customers," outlined these steps to delete your genetic data from 23andme: Log into your 23andMe account on its website. Go to the 'Settings' section of your profile. Scroll to a section labeled '23andMe Data' at the bottom of the page. Click 'View' next to '23andMe Data' Download your data: If you want a copy of your genetic data for personal storage, choose the option to download it to your device before proceeding. Scroll to the 'Delete Data' section. Click 'Permanently Delete Data.' Confirm your request: You'll receive an email from 23andMe; follow the link in the email to confirm your deletion request. The company said the data is deleted once a user submits and confirms the request. According to the 23andme's website, while users can remove their personal information anytime by opting out of the 23andMe data section of account settings, the company is legally required to retain certain information. "23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth and sex as required for compliance with applicable legal obligations... even if you chose to delete your account," the company's privacy statement said. "If you previously opted to have your saliva sample and DNA stored by 23andMe, but want to change that preference, you can do so from your account settings page, under 'Preferences," according to California's attorney general. This article originally appeared on Lansing State Journal: 23andMe bankruptcy: Is customer genetic data safe in Michigan?
