Zeena Nisar is a visiting fellow at the Tech & Public Policy Program at Georgetown University’s McCourt School of Public Policy. Gregory Shelby is a Master of Public Policy student at the McCourt School. Amr Yakout is a Master of Public Policy student at the McCourt School.

The views and positions expressed are solely those of the authors, and do not necessarily represent the views or positions of any organization with which the authors are affiliated.

In 2008, Time magazine named 23andMe’s direct-to-consumer (DTC) genetic testing service as “Invention of the Year.” With just a cheek swab, anyone could access their genetic code to uncover their genetic predispositions and ancestry. Throughout its tenure, 23andMe provided genetic testing services to more than 15 million customers worldwide and amassed a vast trove of genomic data. In March of this year, after years of failing to turn a profit, the company declared bankruptcy. The fate of millions of people’s highly sensitive genomic data soon became uncertain.

The collapse of 23andMe is more than a business story about a failing biotechnology company — it is a reckoning for how the US government regulates the most intimate form of personal data: DNA.

A data privacy prism

Genomic data carries unique sensitivities. Unlike a password or credit card, DNA cannot be reset or replaced. It is immutable, embedded in the body itself. It reveals disease predispositions, ancestry, and familial relationships. When sold or breached, exposure is permanent. These vulnerabilities make genomic data fundamentally different from other personal data.

Genomic information is also inherently identifiable. Even when stripped of conventional identifiers, individuals can be re-identified by matching their genetic file to distant relatives, a process known as "genealogical triangulation.” While this has aided medical research and high-profile criminal investigations, such as the Golden State Killer case, it also demonstrates clear potential for exploitation.

These risks are magnified by the absence of a comprehensive federal framework. Medical privacy laws like HIPAA apply to hospitals and clinical labs, but not to DTC genetic testing companies. This regulatory vacuum allows firms like 23andMe to govern user data through company-written terms of service that are often ill-suited for scenarios such as corporate transitions. During mergers, acquisitions, and bankruptcy, accountability questions become especially fraught. When a genetic database is treated as a transferable asset, customer data may be acquired by companies with entirely different incentives, with no guaranteed mechanism to revoke consent.

23andMe’s bankruptcy brought these previously abstract concerns into sharp focus. The inherently sensitive and identifying nature of genomic data is currently at the mercy of a weak regulatory framework.

A national security scare

Genomic data also poses national security risks if it falls into the hands of malign actors or US adversaries. In particular, efforts by the People’s Republic of China (PRC) to collect, sequence, and analyze DNA from diverse populations, including US citizens, raise two intertwined questions: whether such data could be misused for espionage or coercion, and whether one-sided access could erode US competitiveness in biotechnology.

Security experts have warned that genomic data, when combined with publicly available information, can be used to re-identify individuals from anonymized data. This raises the stakes for potential misuse. China’s past cyber intrusions, including the 2015 breach of the US Office of Personnel Management, demonstrate how stolen personal information can create long-term vulnerabilities. If health or genetic data were linked to similar troves, the resulting datasets could enable targeted surveillance, coercion, or other intelligence activities.

Moreover, the PRC’s access to US health and genomic data poses long-term economic challenges for the United States. While the PRC severely restricts US and other foreign access to such data from China, Chinese-affiliated biotechnology firms have gained access to American data through mergers, research partnerships, and lab accreditations. These channels could enable population-level analyses that benefit state actors and place the US biotechnology industry at a disadvantage. This asymmetry risks allowing Chinese biotechnology firms to displace American firms as global leaders in biotechnology.

The US does possess an overlapping web of policies that, in theory, should safeguard sensitive data from foreign adversaries. In 2024, the Biden Administration issued the “Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern,” which imposes regulations on the transfer of bulk US sensitive personal data, including genomic data, to certain countries of concern. The same year, Congress also passed the Protecting Americans’ Data from Foreign Adversaries Act (PADFA), which imposes protections and restrictions on the transfer of sensitive data to foreign adversary countries. Lastly, the Department of the Treasury’s Committee on Foreign Investment in the United States (CFIUS) conducts oversight on inbound foreign investments involving the “sensitive personal data of United States Citizens that may be exploited in a manner that threatens national security.”

However, because these authorities have never been tested in a high-profile genomic data case, significant uncertainty remains. This uncertainty leaves open pathways for foreign adversaries to exploit US data in ways that carry both security risks and strategic economic consequences.

A policy push for data privacy and security

In the wake of 23andMe’s bankruptcy, many consumers became acutely aware of the privacy and security risks posed by the company’s vast database of genetic information. Shortly after the bankruptcy announcement, the California Attorney General issued a consumer alert to 23andMe’s customers and advised residents to "consider invoking their rights and directing 23andMe to delete their data.”

In May, Regeneron Pharmaceuticals won the bid to acquire 23andMe and all of its assets at a bankruptcy auction. In its press release, Regeneron attempted to reassure the public that the company “will prioritize the privacy, security and ethical use of 23andMe’s customer data; stands ready to work with independent, court-appointed Customer Privacy Ombudsman.” An ombudsman, a neutral, impartial party tasked with mediating certain legal concerns, was deemed necessary to ensure the sale of 23andMe proceeds with proper data privacy measures in place. Regeneron was subsequently outbid by TTAM Research Institute, a nonprofit controlled by 23andMe co-founder Anne Wojcicki.

In June, Congress pressed 23andMe on its commitment to data privacy and security. With 23andMe’s co-founder and CEO both sitting as witnesses, the House Committee on Oversight and Government Reform questioned the company’s commitment to data privacy and sought assurances that foreign adversaries will not be able to “access, manipulate, or exploit Americans’ DNA.” That same month, House Democrats sent letters to both Regeneron and TTAM calling for the implementation of consumer data privacy guardrails following the sale of 23andMe.

It is time to address the governance cracks

The 23andMe bankruptcy makes clear that genomic data cannot be treated like any other corporate asset. When a company holding millions of DNA profiles collapses, the consequences extend beyond privacy concerns to national security and economic competitiveness. The episode exposed how easily sensitive genetic information can slip through the gaps in a fragmented regulatory system and how untested US safeguards remain against foreign actors seeking access to Americans’ genomic data.

As biotechnology advances, the United States cannot rely on outdated, piecemeal protections. The next phase of innovation will depend not only on scientific progress, but on building institutions capable of safeguarding the human genome itself. Policymakers must act quickly to close the governance cracks revealed by 23andMe’s collapse and strengthen the privacy and security of genomic data before the next crisis forces the issue.