Mon Jan 1, 0001

DNA and Genetic Privacy

23andMe

Data Breach (2023)

Began April 2023. Credential stuffing attack: usernames/passwords from other breached sites fed into 23andMe login. Ran ~5 months before detection. Affected ~7 million customers (6.4 million US-based).

Data exposed: raw genotype data, health predisposition reports, carrier-status reports. Via DNA Relatives feature: profile information of ~5.5 million additional users plus Family Tree information of 1.4 million individuals.

UK ICO and Canada OPC found 23andMe failed to implement appropriate security (no mandatory MFA, inadequate password requirements).

Settlement

$30 million to resolve 40+ consolidated class action lawsuits. Final court approval January 30, 2026. After bankruptcy, proposed increase to $50 million.

Bankruptcy (March 23, 2025)

Filed Chapter 11. Triggered crisis over genetic data of 15+ million customers. TTAM Research Institute (non-profit) acquired assets for $305 million.

California AG Rob Bonta advised residents to direct 23andMe to delete data and destroy genetic material samples.

GlaxoSmithKline Partnership (July 25, 2018)

GSK invested $300 million in 23andMe. Gained access to genetic data for drug development. Over 5 million customers (~80%) opted in to research. GSK received “summary statistics from analyses 23andMe conducts.” Effective valuation: ~$60 per person’s exome (2018).

Regulatory Gap

23andMe not classified as medical provider — not subject to HIPAA. Terms of service covering cookies, aggregate data disclosure, and targeted advertising described as making 23andMe a data mine for health insurers, pharma, advertisers, biotech, and law enforcement.

Sources

GEDmatch and Forensic Genealogy

Golden State Killer (2018)

Joseph James DeAngelo — 13 murders, 50+ rapes, burglaries across California (1970s-1980s). Former police officer. Identified in 2018 when genetic genealogist uploaded crime scene DNA to GEDmatch (free public genetics database). Matched distant relatives. Police built family tree from publicly available information. DeAngelo pled guilty; sentenced to 11 consecutive life sentences without parole.

How It Works

Law enforcement tests crime scene DNA for hundreds of thousands of markers, uploads to GEDmatch or similar databases where consumers share data from 23andMe, Ancestry.com, etc. Matches identify distant relatives. Police build family trees using public records to narrow to suspects. Relatives of the person identified are unknowing and nonconsenting participants.

Scale

Science (2018): technique can home in on ~60% of white Americans via familial matching, even if they never submitted their own DNA. Only requires ~2% of a population to have DNA in a database to identify most individuals through relatives.

GEDmatch Policy Changes

May 2019: GEDmatch changed rules to require users to “opt in” to law enforcement access (previously opt-out). Despite this, a Florida state judge forced GEDmatch to allow police to search its entire database of 1.3 million profiles, overriding the opt-in requirement.

State Laws

  • Montana: requires law enforcement to obtain search warrant for consumer DNA databases unless person waived privacy right
  • Utah Genetic Information Privacy Act: requires “valid legal process” before commercial DNA company discloses genetic data to law enforcement without user’s express written consent

Fourth Amendment

Heritage Foundation / Federalist Society analysis: under current third-party doctrine, no warrant required for GEDmatch searches because users “voluntarily” uploaded their DNA. Relatives identified through familial matching have no standing because they didn’t share their own data — their relatives did.

Sources