Clinical laboratories should use this situation as an opportunity to ask questions about their own data privacy approaches
While the drama surrounding 23andMe’s bankruptcy announcement has taken the spotlight—cofounder Anne Wojcicki resigned as CEO so that she can attempt to be the top bidder for the company in bankruptcy court—the more interesting long-term debate for clinical laboratories may be about genetic data privacy.
The 20-year-old direct-to-consumer genetic testing company stated in an investor news release on March 23 that it would enter bankruptcy to get a better handle on operational and financial challenges.
In a post on LinkedIn, Wojcicki wrote, “If I am fortunate enough to secure the company’s assets through the restructuring process, I remain committed to our long-term vision of being a global leader in genetics and establishing genetics as a fundamental part of healthcare ecosystems worldwide.”
Wojcicki also heralded the 15 million people who sent in their samples and became customers. Many of them also agreed to clinical research based on those submissions. “What made so many of our innovations possible were the 85% of our customers who opted in to research,” she wrote.
“I have resigned as CEO of the company so I can be in the best position to pursue the company as an independent bidder,” said Anne Wojcicki (above), cofounder of 23andMe, wrote on LinkedIn. It remains to be seen how 23andMe’s bankruptcy will affect clinical laboratories. (Photo copyright: Wikimedia Commons.)
Customer Data Can Be Sold as an Asset During Bankruptcy
Those samples now find themselves in a murky area involving genetic data privacy. Will a court allow creditors to acquire that data as an asset to satisfy 23andMe’s financial obligations? And will people who gave samples to a company they presumably trusted be happy if that information ends up in other hands?
“Comprehensive data privacy legislation has been enacted across the United States and globally, including the California Consumer Privacy Act of 2018 and the European Union’s General Data Protection Regulation,” the Harvard Law Review noted in a March 2025 story about data assets during bankruptcy. “With this development has come a renewed focus on data privacy in bankruptcy, where a debtor is likely to sell its customer data to pay its debts.”
In fact, California Attorney General Rob Bonta, JD, urged residents in that state to consider the California law’s options in light of the bankruptcy announcement. “I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company,” Bonta said in a statement.
The Harvard Law Review noted that federal law allows for the appointment of ombudsmen in bankruptcy cases to protect consumer data, but that approach “has been ineffective at meeting that goal.” There is no word at this early stage whether the 23andMe bankruptcy will involve an ombudsman.
How Did 23andMe End Up in Bankruptcy?
Business models and criminals helped push the once thriving 23andMe to the point of bankruptcy. The company in 2021 had a $6 billion market cap. As of close of business on March 24, 2025, the cap hovered just over $20 million.
One long-term issue: There was often no need for anyone to be a repeat customer of 23andMe once they purchased their initial direct-to-consumer genetic test. “It didn’t really have a continuing business model—once you’d paid for your DNA report, there was very little for you to return for,” the BBC reported on Nov. 2.
Clinical labs are clearly in a better position here, as in addition to one-off genetic tests, they offer many medical assays that need to happen dozens or more times over a patient’s life.
Also, 23andMe had a difficult time gaining momentum for its anonymized DNA database that clinical researchers could use, according to the BBC.
A year later, 23andMe agreed to pay $30 million to settle a lawsuit over the stolen data, Reuters reported. The hack accessed information for 6.9 million customers.
Clinical Laboratories Must Be Wary of Genetic Data Privacy
It’s not hard to imagine clinical laboratories that perform genetic testing finding themselves in a situation similar to 23andMe with genetic data privacy on the line because of a business transaction. Some clinical laboratories do go bankrupt, but a more common occurrence is for a lab to be bought out by a competitor or one of the large national laboratory companies.
Clinical lab leaders may want to ask themselves these questions about genetic data privacy:
If a lab’s genetic testing information changed owners, would that damage parties’ reputation in the community?
Is there a triage plan in place to deal with any customers who want their data erased prior to any acquisition or merger?
Watch for in-depth analysis about the implications to clinical labs from the 23andMe bankruptcy in an upcoming issue of The Dark Report. Not a subscriber? Try a 14-day free trial today.
Settlement is a reminder to all clinical laboratories that state and federal DOJs and AGs are willing to file actions against genetic testing companies that intentionally mislead the public
California’s Attorney General, in cooperation with the Federal Trade Commission (FTC), announced a recent settlement with CRI Genetics regarding deceptive trade practices. The at-home genetics testing company will have to pay $700,000 in civil penalties and according to the Santa Monica Daily Press, “will be barred from a wide range of deceptive practices to settle charges from the Federal Trade Commission and the California Attorney General that the company deceived users about the accuracy of its DNA reports.”
Santa Monica, Calif.-based CRI Genetics (CRI), which also does business as OmniPGx, offers DNA saliva-swab test kits that are analyzed by a third party laboratory to return customers ancestry data, health information, optimal nutritional guidelines, and potential allergies. The company’s website states a guaranteed 8-week turn around for the kits.
The original complaint against CRI alleged the company used misleading marketing practices by claiming its DNA tests are more accurate and detailed than their competitors, such as Ancestry DNA and 23andMe. CRI also claimed their ancestry data was more than 90% accurate and could determine ancestry dating back 50 generations.
In addition, the company stated its algorithm for matching DNA was patented, which it was not, according to the complaint.
The complaint also alleged the CRI website contained deceitful information and was formatted to appear independent but included inflated reviews and false testimonials.
“CRI Genetics could have found legitimatewaysto market its services. Unfortunately, in its pursuit of growth and profits, the company repeatedly misled consumers. The FTC and my office took notice, we investigated, and we are delivering results today,” said California Attorney General Rob Bonta (above) in a press release. (Photo copyright: State of California Department of Justice.)
Alleged Deceptive Business Practices
According to court documents, CRI manipulated customers into purchasing add-on services and forced consumers to click through a myriad of pop-up pages to lure them into purchasing more products. Customers were informed they would have a chance to review their orders before being charged but were immediately billed. Consumers then had to go through a lengthy and often confusing process to obtain refunds for returned items.
“Based on the facts and violations of law alleged in this Complaint, the FTC has reason to believe that Defendant has violated or is about to violate laws enforced by the Commission because, among other things, Defendant engaged in the unlawful conduct over a period of four years, willfully and knowingly, despite having knowledge of hundreds of consumer complaints and refund requests, as well as inquiries by the Better Business Bureau regarding their deceptive practices and only ceased its unlawful activities after the FTC notified Defendant of its pending investigation,” the court filings state.
“Our settlement not only holds CRI Genetics accountable for its past misconduct, it also aims to ensure that CRI Genetics doesn’t engage in similar misconduct going forward,” said California Attorney General Rob Bonta in the press release. “I want to thank our federal counterparts at the FTC for their continued partnership and commitment to ensuring that all businesses play by the same rules.”
In addition to the $700,000 fine, CRI is obligated to change its practices by:
Ceasing to make misrepresentations about its testing and analysis services.
Not using deceptive tactics to sell its products, represent endorsements, or in billing practices.
Accurately disclosing its website billing practices.
Disclosing any sharing or usage of genetic data for purposes besides the services the consumer purchases.
Refraining from offering the sale of any DNA information testing product or service.
“Today’s action continues the FTC’s crackdown on deceptive reviews, dark patterns, and baseless claims around algorithmic solutions,” said Samuel Levine, Director, Bureau of Consumer Protection at the FTC, in the press release. “We are proud to partner with California on this important matter and will continue to carefully scrutinize claims around biometric information technologies.”
This settlement serves as a reminder to all genetic testing firms and clinical laboratories that state and federal Departments of Justice and state Attorney Generals are willing to file actions against genetic testing organizations that intentionally mislead the public. It is also useful for lab managers to stay aware of the lengths some genetic testing companies will go to deceive consumers and that regulatory agencies are noticing egregious practices.
Clinical laboratory managers should note that this company’s new diagnostic offering involving screening embryos for specific genetic conditions is not without controversy
Is the world ready for whole genome sequencing (WGS) of preimplantation embryos to help couples undergoing in vitro fertilization (IVF) treatments know if their embryos have potential genetic health problems? Orchid Health, a clinical preimplantation genetic testing (PGT) laboratory that conducts genetic screening in San Francisco, believes the answer is yes! But the cost is high, and the process is not without controversy.
According to an article in Science, Orchid’s service—a sequencings of the whole human genome of preimplantation embryos at $2,500 per embryo tested—“will look not just for single-gene mutations that cause disorders such as cystic fibrosis, but also more extensively for medleys of common and rare gene variants known to predispose people to neurodevelopmental disorders, severe obesity, and certain psychiatric conditions such as schizophrenia.”
However, Science also noted that some genomics researchers “claim the company inappropriately uses their data to generate some of its risk estimates,” adding that the “Psychiatric Genomics Consortium (PGC), an international group of more than 800 researchers working to decode the genetic and molecular underpinnings of mental health conditions, says Orchid’s new test relies on data [PGC] produced over the past decade, and that the company has violated restrictions against the data’s use for embryo screening.”
There are some who assert that a whole genome sequence of an embryo—given today’s state of genetic technology and knowledge—could generate information that cannot be interpreted accurately in ways that help parents and doctors make informed prenatal testing decisions. At the same time, criticisms expressed by the PGC raise reasonable points.
Perhaps this is a sign of the times. Orchid Health is the latest genetic testing company that is looking to get ahead of genetic testing competitors with its diagnostics offerings. Meanwhile, knowledgeable and credible experts question the appropriateness of this testing, given the genetic knowledge that exists today.
“This is a major advance in the amount of information parents can have,” Orchid’s founder and CEO Noor Siddiqui (above) told CNBC. “The way that you can use that information is really up to you, but it gives a lot more control and confidence into a process that, for all of history, has just been totally left to chance.” Should Orchid Health’s analysis prove useful, pediatricians could order further clinical laboratory prenatal testing to confirm and diagnose potential genetic diseases for parents. (Photo copyright: General Assembly.)
Orchid Receives World-class Support
Regardless of the pushback from some genetic researchers, Orchid has attracted several world-class geneticists and genetics investors to its board of advisors. They include:
Jacques Cohen, PhD, embryologist, co-founder and former director for genetics laboratory Reprogenetics LLC (now CooperGenomics).
Anne Wojcicki, co-founder and CEO of direct-to-consumer genetic testing company 23andMe.
and others.
The WGS test, according to Orchid, detects genetic errors in embryos that are linked to severe illnesses before a pregnancy even begins. And by sequencing 99% of an embryo’s DNA, the test can spot potential health risks that could affect a future baby.
According to its website, the PGT lab company uses the WGS data to identify both monogenic (single-gene) and polygenic (multiple-gene) diseases, including:
Orchid is not without its critics. Knowledgeable, credible experts have questioned the appropriateness of this type of genetic testing. They fear it could become a modern-day form of eugenics.
Andrew McQuillin, PhD, Professor of Molecular Psychiatry at University College London, has concerns about Orchid’s preimplantation genetic testing. He maintains that it is difficult to control how such data is used, and that even the most accurate sequencing techniques do not predict disease risk very well.
“[Polygenic risk scores are] useful in the research context, but at the individual level, they’re not actually terribly useful to predict who’s going to develop schizophrenia or not,” McQuillin told Science. “We can come up with guidance on how these things should be used. The difficulty is that official guidance like that doesn’t feature anywhere in the marketing from these companies.”
McQuillin also stated that researchers must have an extensive discussion regarding the implications of this type of embryo screening.
“We need to take a look at whether this is really something we should be doing. It’s the type of thing that, if it becomes widespread, in 40 years’ time, we will ask, ‘What on Earth have we done?’” McQuillin emphasized.
Redefining Reproduction
It takes about three weeks for couples to receive their report back from Orchid after completing the whole genome sequence of a preimplantation embryo. A board-certified genetic counselor then consults with the parents to help them understand the results.
Founder and CEO Noor Siddiqui hopes Orchid will be able to scale up its operations and introduce more automation to the testing process to the cost per embryo.
“We want to make this something that’s accessible to everyone,” she told CNBC.
“I think this has the potential to totally redefine reproduction,” she added. “I just think that’s really exciting to be able to make people more confident about one of the most important decisions of their life, and to give them a little bit more control.”
Clinical laboratories have long been involved in prenatal screening to gain insight into risk levels associated with certain genetic disorders. Even some of that testing comes with controversy and ambiguous findings. Whether Orchid Health’s PGT process delivers accurate, reliable diagnostic insights regarding preimplantation embryos remains to be seen.
Federal class action lawsuit looms as genetics company searches for what went wrong; a reminder to clinical laboratories of the importance of protecting patient information
Several years ago, security experts warned that biotechnology and genomics company 23andMe, along with other similar genetics companies, would be attacked by hackers. Now those predictions appear to have come true, and it should be a cautionary tale for clinical laboratories. In an October 6 blog post, the genetic testing company confirmed that private information from thousands of its customers was exposed and may be being sold on the dark web.
According to Wired, “At least a million data points from 23andMe accounts appear to have been exposed on BreachForums.” BreachForums is an online forum where users can discuss internet hacking, cyberattacks, and database leaks, among other topics.
“Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained one million data points exclusively about Ashkenazi Jews,” Wired reported, adding that “hundreds of thousands of users of Chinese descent” also appear to be impacted.
The leaked information included full names, dates of birth, sex, locations, photos, and both genetic and ancestry results, Bleeping Computer reported.
For its part, 23andMe acknowledges the data theft but claims “it does not see evidence that its systems have been breached,” according to Wired.
Anne Wojcicki (above) is the co-founder and CEO of genetics company 23andMe, which on October 24 told its customers in an email, “There was unauthorized access to one or more 23andMe accounts that were connected to you through DNA Relatives. As a result, the DNA Relatives profile information you provided in this feature was exposed to the threat actor.” Clinical laboratories must work to ensure their patient data is fully secured from similar cyber theft. (Photo copyright: TechCrunch.)
23andMe Claims Data Leak Not a Security Incident
The data leaked has been confirmed by 23andMe to be legitimate. “Threat actors used exposed credentials from other breaches [of other company’s security] to access 23andMe accounts and steal the sensitive data. Certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” a 23andMe spokesperson told Bleeping Computer.
However, according to the company, the leak does not appear to be a data security incident within the 23andMe systems. “The preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials,” the spokesperson added.
What the genetics company has determined is that compromised accounts were from users choosing the DNA Relative feature on their website as a means to find and connect to individuals related to them. Additionally, “the number of accounts sold by the cybercriminal does not reflect the number of 23andMe accounts breached using exposed credentials,” Bleeping Computer noted.
Price of Private Information
Following the 23andMe data leak, the private genetic information was quickly available online … for a price.
“On October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased,” Bleeping Computer reported.
Stolen medical records are becoming hotter than credit card information, the experts say. “Stolen records sell for as much as $1,000 each,” according to credit rating agency Experian, Bleeping Computer noted.
In its 2018 Global Security Report, “cybersecurity firm Trustwave pegged the black-market value of medical records at $250 each. Credit card numbers, on the other hand, sell for around $5 each on the dark web … while Social Security numbers can be purchased for as little as $1 each,” Fierce Healthcare reported.
Clinical laboratory managers and pathologists should take note of the value that the dark web places on the medical records of a patient, compared to the credit card numbers of the same individual. From this perspective, hacking a medical laboratory to steal patient health data can be much more lucrative than hacking the credit card data from a retailer.
“Victims of the breach are now at increased risk of fraud and identity theft, and have suffered damages in the form of invasion of privacy, lost time and out-of-pocket expenses incurred responding to the breach, diminished value of their personal information, and lost benefit of the bargain with 23andMe,” according to court documents.
“The lawsuit brings claims of negligence, breach of implied contract, invasion of privacy/intrusion upon seclusion, unjust enrichment, and declaratory judgment,” Bloomberg Law noted. Additionally, the claim states that 23andMe “failed to provide prompt and adequate notice of the incident.”
Plaintiffs are “seeking actual damages, compensatory damages, statutory damages, punitive damages, lifetime credit-monitoring services, restitution, disgorgement, injunctive relief, attorneys’ fees and costs, and pre-and post-judgment interest,” Bloomberg Law reported.
Preventing Future Data Leaks
Years of experts warning genetics companies like 23andMe that they need more strict data security have proven to be true. “This incident really highlights the risks associated with DNA databases,” Brett Callow, a threat analyst at data security firm Emsisoft, told Wired. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”
“Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping,” Wired noted.
Clinical laboratory databases are full of protected health information (PHI). Wise lab managers will work to ensure that their medical lab’s patient data is secure from today’s cyberthreats.
Clinical laboratory scientist who aided in the investigation compared DNA test results with publicly available genetic information
In an interesting twist in the solving of crime, genetic test results—along with help from a clinical laboratory scientist (CLS) turned amateur genealogist—guided relatives of Melissa Highsmith to her whereabouts after she was allegedly kidnapped as a toddler over half a century ago. According to The Guardian, the CLS helped locate Melissa by “interpreting the key DNA results and mining publicly available records.”
Highsmith’s abduction was one of the oldest missing person cases in the country and demonstrates how clinical laboratory skills can be applied outside the laboratory to help solve other problems—in this case, helping a family search for a kidnapped daughter—using genetic testing technologies that until recently were not available to the general public.
Thanks to a 23andMe at-home DNA test—and a tenacious clinical laboratory scientist/amateur genealogist—Melissa Highsmith (shown above at time of kidnapping and today) has been reunited with her birth family. This shows how genetic testing is being used in remarkable ways outside of the clinical laboratory. (Photo copyright: Highsmith family/People.)
Thanksgiving Reunion
Back in 1971, Melissa’s mother, Alta Apantenco, placed an advertisement in a local newspaper in Fort Worth, Texas, to hire a babysitter to care for her 21-month-old daughter. Apantenco hired Ruth Johnson to babysit her daughter without meeting the woman in person. Because Apantenco had to be at work, the child was handed over to Johnson by Apantenco’s roommate. The babysitter then allegedly abducted Melissa and disappeared with her.
Melissa’s family reported her missing to the police and searched for the snatched baby for more than 51 years. The family even organized a Facebook page called “Finding Melissa Highsmith” and sought outside assistance from the National Center for Missing and Exploited Children (NCMEC) in locating their lost relative, according to the New York Post.
The police and the FBI also got involved in the case, but few leads emerged over the decades.
Then, in September of 2022, Melissa’s family received a new lead regarding her location based on her father’s 23andMe DNA test results. Those results, along with a birthmark and date of birth, confirmed that Melissa was alive and well and residing in the Charleston, South Carolina area.
Over Thanksgiving weekend, Melissa was reunited with her mother, her father Jeffrie Highsmith, and two of her four siblings at a church in Fort Worth. She hopes to meet her remaining two siblings over the Christmas holidays.
“I can’t describe my feelings. I’m so happy to see my daughter that I didn’t ever think I would see again,” Apantenco told Saint Paul, Minnesota, television station KSTP.
“I couldn’t stop crying,” said Melissa’s sister Victoria Garner in a family statement. “I was overjoyed, and I’m still walking around in a fog trying to comprehend that my sister [was] right in front of me and that we found her,” The Guardian reported.
Clinical Laboratory Scientist Aids in the Investigation
The 23andMe test results alerted the family to the existence of a few unknown relatives that could be connected to the DNA of Melissa’s father. The family then contacted a genealogist and clinical laboratory scientist from Minnesota named Lisa Jo Schiele to help them interpret the results and potentially locate the missing woman. Schiele compared the DNA results with public records to help find Melissa Highsmith.
“I was able to use what we call traditional genealogy to find marriage records and things like that to find where Melissa was right now,” Schiele told KSTP. “At first glance, you look at these matches, but I’m like, ‘Holy cow, is this too good to be true?’ I’m very happy to help them navigate all of this.”
One of Melissa’s sisters, Sharon Highsmith, stated that her mother experienced deep feelings of guilt after Melissa’s abduction and had even faced accusations that she had something to do with the disappearance of her daughter.
“My mom did the best she could with the limited resources she had. She couldn’t risk getting fired, so she trusted the person who said they’d care for her child,” Sharon said in a family statement. “I’m grateful we have vindication for my mom,” The Guardian reported.
“I keep having to pinch myself to make sure I’m awake,” Melissa, who now resides in Fort Worth, told KSTP.
“It’s a miracle,” Apantenco said.
“A Christmas miracle,” Melissa added.
Due to the statute of limitations, which expired 20 years after Melissa turned 18, the babysitter who allegedly took Melissa cannot be criminally prosecuted.
“I’m angry our family was robbed for 51 years,’’ Melissa told Fort Worth news station WFAA.
This remarkable story illustrates how clinical laboratory skills combined with genetic testing results can be used outside of medical laboratory testing purposes to aid in solving criminal cases and other mysteries involving missing people.
Further advances in DNA testing combined with genetic databases that include DNA from greater numbers of people could result in more reunions involving missing persons who were identified because of genetic matching.
