Following biotechnology company 23andMe’s filing for bankruptcy, losing its CEO, and trying to find a buyer last month, the House Committee on Energy and Commerce launched an investigation into the genetic data company’s handling of customers’ personal information.
On Friday, the committee sent a letter to 23andMe regarding selling people’s sensitive information following its filing for Chapter 11 bankruptcy. The letter was signed by committee Chair Rep. Brett Guthrie of Kentucky, Rep. Gus Bilirakis of Florida, and Rep. Gary Palmer of Alabama. The latter two are chairmen of the Subcommittee on Commerce, Manufacturing, and Trade and the Subcommittee on Oversight and Investigations, respectively.
23andMe data: How to delete yours
The letter points out that in 23andMe’s privacy policy, in a bankruptcy, customers’ personal information may be “accessed, sold or transferred as part of that transaction.”
“Additionally, a judge recently ruled 23andMe has the right to sell the sensitive medical and genetic information of its 15 million customers, which is considered to be the company’s most valuable asset,” the letter states. “With the lack of a federal comprehensive data privacy and security law, we write to express our great concern about the safety of Americans’ most sensitive personal information.”
The committee then lists many questions for the company, including how 23andMe intends to vet potential buyers and what its plan is to protect people’s data should a sale happen. The Committee of Energy and Commerce requested answers by May 1.
Mashable Light Speed
In a press release, 23andMe detailed bidding requirements and procedures for a sale, such as that it will not accept bids from entities based in or controlling investments from “countries of concern” like China, Cuba, Iran, North Korea, Russia, or Venezuela.
Regarding handling personal data, the company stated in the release, “23andMe takes its responsibility as a steward of customer data seriously. The Company maintains strict data privacy and security protocols, and it is subject to consumer privacy and genetic privacy laws.”
In the last few years, the genomics company has been under fire for a data breach and subsequent lawsuit. As 23andMe isn’t an entity covered by the Health Insurance Portability and Accountability Act (HIPAA), customer information isn’t protected by those privacy measures.
With the announcement of the bankruptcy and its former CEO, Anne Wojcicki, stepping down in March, Mashable published a how-to on deleting your data from 23andMe. If you haven’t done so yet, now is the perfect time.
UPDATE: Apr. 21, 2025, 10:15 a.m. EDT This article has been updated to include a press release from 23andMe.