The genetic testing company 23andMe, once valued at six billion dollars and serving over 15 million customers worldwide, has navigated through bankruptcy proceedings that raised serious concerns about the future of sensitive genetic data. In March 2025, the company filed for Chapter 11 bankruptcy protection, triggering immediate alarm among privacy advocates, state attorneys general, and millions of customers who had entrusted the company with their most personal biological information. The bankruptcy filing came after years of financial struggles, a devastating 2023 data breach affecting nearly seven million users, and the mass resignation of the entire independent board of directors. This situation represents one of the most significant tests of genetic privacy protections in the direct-to-consumer DNA testing industry.
The saga took a dramatic turn when pharmaceutical giant Regeneron Pharmaceuticals initially won the bankruptcy auction with a bid of 256 million dollars, sparking widespread outrage from more than two dozen state attorneys general who sued to halt the deal. The prospect of a pharmaceutical company acquiring such vast quantities of genetic data raised fundamental questions about consumer privacy, the unique nature of DNA as property, and the adequacy of existing legal protections. However, the story reached an unexpected resolution when TTAM Research Institute, a nonprofit organization founded by 23andMe co-founder Anne Wojcicki, submitted a higher bid of 305 million dollars and ultimately won court approval to acquire the company’s assets. This outcome has provided some relief to privacy advocates while still leaving important questions about long-term data security unanswered.
The Financial Collapse of a Genetic Testing Pioneer
Founded in 2006, 23andMe revolutionized the consumer genetics industry by making DNA testing accessible to millions of people through affordable saliva-based test kits. The company’s business model centered on collecting saliva samples from customers, analyzing their genetic markers, and providing detailed reports about ancestry, genetic health predispositions, and potential connections to relatives. At its peak in 2021, when the company went public through a special purpose acquisition company merger, 23andMe achieved a market valuation of six billion dollars and seemed poised for continued growth in the expanding personalized medicine market. However, fundamental flaws in the business model soon became apparent as the company struggled to generate sustainable revenue from what was essentially a one-time purchase for most customers.
The core problem with 23andMe’s business strategy was that genetic testing represented a single transaction for the vast majority of users. Once customers received their ancestry information and health risk assessments, most had little reason to continue engaging with the platform or purchasing additional services. The company attempted to diversify revenue streams by developing subscription services, partnering with pharmaceutical companies for drug development research, and launching a telehealth service called Lemonaid Health. Despite these efforts, 23andMe never achieved profitability and watched its stock value plummet more than 99 percent from its public offering peak. In November 2024, the company laid off more than 200 employees, representing approximately 40 percent of its workforce, and shut down its costly drug development programs.
The 2023 data breach dealt a catastrophic blow to 23andMe’s already fragile business position. Hackers accessed genetic information belonging to almost seven million users through a credential stuffing attack, where stolen usernames and passwords from other websites were used to break into 23andMe accounts. The breach was particularly concerning because attackers specifically targeted profiles of individuals with Chinese and Ashkenazi Jewish ancestry, creating curated lists that were subsequently sold on dark web marketplaces. This targeted aspect of the breach raised alarming security implications for vulnerable populations and highlighted the unique dangers associated with genetic data exposure. The company eventually agreed to pay 30 million dollars to settle a class-action lawsuit related to the breach and committed to providing three years of security monitoring for affected users.
By September 2024, tensions between founder Anne Wojcicki and the board of directors reached a breaking point. Wojcicki proposed taking the company private for 42 million dollars, a fraction of its former valuation, but the board rejected this offer citing multiple concerns. In response to the rejection, all seven independent board members resigned simultaneously, leaving Wojcicki as the sole director. This unprecedented mass resignation further destabilized the company and accelerated its path toward bankruptcy. When 23andMe filed for Chapter 11 protection in March 2025, Wojcicki immediately resigned as chief executive officer to position herself as an independent bidder, though she remained on the board. The bankruptcy filing specifically noted that the company intended to facilitate a sale process to maximize value for stakeholders while continuing normal business operations throughout the proceedings.
The Privacy Crisis and Legal Landscape
The bankruptcy announcement triggered an immediate surge in concern about what would happen to the genetic data of 15 million customers. Website traffic analysis company Similarweb reported that 23andMe received 1.5 million visits on March 24, 2025, the day of the bankruptcy announcement, representing a 526 percent increase from the previous day. Approximately 376,000 of these visits were specifically to help pages related to deleting data, while 30,000 visits were directed to customer care pages for account closure. This massive spike in activity demonstrated widespread recognition among users that their genetic information might be at risk of acquisition by unknown third parties with potentially different privacy standards and business objectives.
California Attorney General Rob Bonta issued an urgent consumer alert on March 21, 2025, before the actual bankruptcy filing, advising residents to consider deleting their data and requesting destruction of any stored saliva samples. The alert stated that given 23andMe’s reported financial distress, Californians should invoke their rights to direct the company to permanently remove their information and destroy genetic material. This proactive stance by California’s top law enforcement official reflected growing recognition among state officials that existing federal privacy laws provide inadequate protection for genetic data held by direct-to-consumer companies. Other state attorneys general across the country echoed these concerns and issued similar guidance to residents in their jurisdictions.
The legal framework governing genetic privacy in the United States contains significant gaps that became starkly apparent during the 23andMe crisis. The Health Insurance Portability and Accountability Act, commonly known as HIPAA, provides robust protections for health information but only applies to health care providers, health plans, and health care clearinghouses. Because 23andMe operates as a direct-to-consumer company selling products directly to individuals rather than providing health care services, it falls completely outside HIPAA’s protective umbrella. Legal experts consistently emphasized this crucial distinction, noting that genetic information shared with 23andMe receives far less legal protection than medical records shared with doctors or hospitals.
The Genetic Information Nondiscrimination Act of 2008, known as GINA, represents the only other significant federal law addressing genetic privacy. However, GINA’s protections are narrowly focused on preventing employers and health insurance companies from discriminating against individuals based on genetic information. The law does not regulate how companies like 23andMe collect, store, share, or sell genetic data. Furthermore, GINA contains notable exclusions, such as not applying to life insurance, disability insurance, or long-term care insurance, leaving consumers vulnerable to potential discrimination in these areas. As University of Iowa law professor Anya Prince explained, those two federal laws represent pretty much all the protection available at the national level for genetic privacy.
The Pharmaceutical Bid and State Opposition
In May 2025, Regeneron Pharmaceuticals emerged as the winning bidder in the initial bankruptcy auction with an offer of 256 million dollars. Regeneron, a major biotechnology company based in New York, pledged to honor 23andMe’s existing privacy policies and maintain current data protection standards. The company viewed 23andMe’s extensive genetic database as a valuable resource for drug development research and potential identification of new therapeutic targets. However, the prospect of a for-profit pharmaceutical company gaining control over the genetic information of millions of individuals without their explicit consent sparked immediate and fierce opposition from state governments and privacy advocacy organizations.
More than two dozen state attorneys general filed a lawsuit seeking to block the Regeneron acquisition, arguing that genetic information represents a fundamentally unique type of property that should not be transferred through standard bankruptcy proceedings like real estate or office furniture. The states’ legal argument centered on the immutable and highly personal nature of DNA data, which cannot be changed if compromised and contains information not only about the individual but also about biological relatives who never consented to their genetic information being shared. The lawsuit raised concerns about the potential for genetic data to be used in ways customers never anticipated when they originally submitted their saliva samples, including possible sharing with law enforcement agencies, insurers, or other third parties.
The legal battle highlighted deep tensions between bankruptcy law principles, which generally treat all company assets similarly during liquidation proceedings, and emerging recognition that genetic data requires special protections. Privacy advocates warned that allowing unrestricted transfer of genetic databases through bankruptcy sales could create dangerous precedents for the entire direct-to-consumer genetic testing industry. The Electronic Privacy Information Center urged companies to resist sales to any entities with ties to law enforcement, noting that genetic information could potentially be used for indiscriminate searches in criminal investigations. These concerns were particularly acute given that approximately 80 percent of 23andMe customers had consented to having their anonymized data used for research purposes, potentially creating pathways for wider data sharing under new ownership.
Judge Brian Walsh of the United States Bankruptcy Court for the Eastern District of Missouri acknowledged in his rulings that the sale of genetic data represents a scary proposition. However, he noted that lawmakers had not banned such sales and that imposing an absolute prohibition could result in missed opportunities, though he did not specify what those opportunities might entail. This judicial acknowledgment of the uncomfortable reality reflected the regulatory vacuum surrounding genetic privacy and the challenges courts face when applying traditional bankruptcy principles to novel forms of digital property. The judge’s comments underscored the urgent need for comprehensive federal legislation specifically addressing genetic data protection.
TTAM Research Institute’s Winning Bid
Following the states’ lawsuit and widespread public outcry, the bankruptcy court ordered the bidding process reopened. Anne Wojcicki, through her newly formed TTAM Research Institute, claimed she had been unfairly excluded from the initial auction process because 23andMe had capped her group’s bid at 250 million dollars due to concerns about financial backing. Wojcicki asserted that TTAM had support from an unnamed Fortune 500 company with a market capitalization exceeding 400 billion dollars and 17 billion dollars in cash reserves, though this major backer’s identity was never publicly revealed. During the final round of bidding conducted on June 13, 2025, TTAM submitted an offer of 305 million dollars, successfully outbidding Regeneron and winning the right to acquire substantially all of 23andMe’s assets.
TTAM Research Institute, whose acronym clearly references twenty-three and me, was established specifically as a nonprofit public benefit corporation with a stated charitable mission of continuing 23andMe’s research activities while expanding medical research and educational programs. The nonprofit structure represented a key distinction from the for-profit pharmaceutical company alternative, addressing some concerns about commercial exploitation of genetic data. Wojcicki positioned TTAM as a champion of improving knowledge about DNA for the public good rather than private profit, emphasizing that the organization would maintain customer choice and transparency regarding genetic information. The nonprofit model theoretically aligns incentives toward scientific advancement and public health benefits rather than maximizing shareholder returns.
On June 30, 2025, Judge Walsh approved the sale to TTAM Research Institute, noting that the transaction involves a sale of customer data only in a technical sense given the continuity of leadership and stated commitment to existing privacy policies. The judge determined that the TTAM acquisition would satisfy the concerns raised by most of the state attorneys general who had sued to block the Regeneron deal. However, his ruling acknowledged that five states—California, Kentucky, Tennessee, Texas, and Utah—remained actively opposed to any sale of the genetic database. These dissenting states were given until July 7, 2025, to seek a stay of the ruling in order to appeal the decision, though no successful appeals emerged and the transaction ultimately closed on July 14, 2025.
TTAM committed to several enhanced privacy protections beyond 23andMe’s existing policies as part of the acquisition approval. The organization pledged to establish a consumer privacy board within 90 days of closing the transaction, implement new notification procedures for any material changes to privacy policies, develop enhanced protocols for mitigating data breaches, and submit annual reports to state attorneys general upon request. Additionally, TTAM agreed that if the organization itself is ever sold or transferred, no genetic data would be moved unless the new owner agreed to adopt TTAM’s privacy policies. Customers would receive two years of complimentary identity theft monitoring services, and all users would be notified in advance of the transaction closing with information about their options regarding data
