Back
privacy

23andMe Went Bankrupt. Here's What Happened to Your DNA.

15 million people trusted 23andMe with their genetic data. When the company filed for bankruptcy in March 2025, that data became an asset up for sale. Here's the full story — and what it reveals about who really owns your most personal information.

March 21, 2026 · 8 min read

In March 2025, 23andMe filed for bankruptcy. The sale of its genetic database closed in July. The legislation it triggered is still pending in Congress. The class action settlement deadline passed just weeks ago in February 2026.

The story is not over — but most people still don't know how it started, what actually happened to the DNA data of 15 million customers, or why the ending is more complicated than it looks.

23andMe built a business out of convincing people to mail in their saliva. When it failed, that saliva — and everything extracted from it — became an asset in a bankruptcy proceeding. Here is the full story.

How 23andMe Got Here

23andMe launched in 2006 with a straightforward pitch: send us a saliva sample and we'll tell you about your ancestry and genetic health risks. The model worked — by the time the company went public in 2021, it was valued at $6 billion.

The decline was slow, then fast. The company struggled to convert one-time DNA test customers into repeat subscribers. In November 2024, it laid off roughly 40% of its staff. Then, in October 2023, a hacker accessed accounts through credential stuffing — using passwords reused from other breaches — and scraped the personal information of approximately 6.9 million customers, including names, birth years, ancestry data, and DNA Relatives matches. The breach affected nearly half the company's user base.

By March 2025, the company had assets worth $277 million and debts of $214 million. It filed for Chapter 11 bankruptcy and immediately announced a sale process.

Why the Bankruptcy Was Different

Data bankruptcy sales happen regularly. Retailers, platforms, and service companies go bankrupt all the time, and their customer data — email addresses, purchase histories, behavioral profiles — gets sold along with everything else. Most people never notice.

The 23andMe case was different for one reason: the data being sold was DNA.

Unlike an email address, which can be changed, or a credit card number, which can be cancelled, genetic data is permanent. Your genome cannot be reset. It contains information not just about you, but about your parents, your siblings, your children, and every biological relative you have — including people who never consented to be in the database at all. One family member's DNA test creates a partial genetic record of the entire family tree.

DNA data cannot be easily reset or reissued. And, absent mutation, it is not changeable. Yet under current bankruptcy law, genetic data is treated no differently than marketing lists, brand assets, or software licenses.

The California Attorney General Rob Bonta issued an urgent consumer alert advising customers to delete their data immediately. Traffic to 23andMe's website surged to the point that the login portal slowed and eventually went offline, overwhelmed by customers attempting to delete their accounts.

What the Privacy Policy Actually Said

23andMe's privacy policy contained a clause that few customers had ever read:

"If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction."

This is standard language in most consumer privacy policies. It means that the protections customers believed they had — the implicit understanding that their DNA would be used for their own ancestry research and nothing else — were not actually guaranteed. The company had reserved the right to transfer that data in exactly the circumstances that were now unfolding.

The privacy policy also says that the new company has to follow the existing privacy policy, which sounds great, but the existing privacy policy also says that it can be changed at any time.

Federal law offered limited protection. Unlike health records, which are covered by HIPAA, 23andMe does business with you as a consumer, not as a patient. Customers do not get the federal health privacy protections that apply to data shared with a doctor.

The Auction

The bankruptcy court approved a sale process and set a June 2025 auction date. Two serious bidders emerged: Regeneron Pharmaceuticals, one of the world's largest biotech companies, and TTAM Research Institute, a nonprofit created specifically for this purpose by Anne Wojcicki — 23andMe's co-founder and former CEO.

Regeneron initially won the auction with a bid of $256 million. Then the court reopened bidding after Wojcicki argued her group had been unfairly excluded. TTAM submitted a revised bid of $305 million, trumping Regeneron's offer. Regeneron declined to go higher.

The court approved the sale of 23andMe's genetic data and personal information assets to TTAM Research Institute, an entity founded by Anne Wojcicki, the former CEO and co-founder of 23andMe. The sale closed on July 14, 2025.

The twist: the company that had failed, the founder who had presided over that failure, and the data that had been at the center of the privacy crisis, all ended up in essentially the same hands — repackaged as a nonprofit.

The Nonprofit Problem

TTAM Research Institute is a California nonprofit public benefit corporation. Its name shares initials with 23andMe. Its leadership is composed of former 23andMe executives. Its stated mission is scientific and biomedical research using the genetic database.

The newly formed "nonprofit," TTAM Research Institute, uses the same initials as 23andMe and, according to the bankruptcy judge, is composed of "the same business, the same employees, familiar leaders, and the same privacy policies."

Critics, including Public Citizen and attorneys general from dozens of states, argued this structure allowed a failed for-profit company to shed its debts, rebrand as a nonprofit, and reacquire its most valuable asset — the genetic data of 15 million people — without meaningful regulatory accountability.

TTAM committed to several protections as conditions of the sale: a Consumer Privacy Advisory Board within 90 days of closing, annual privacy reports available to state attorneys general, two years of free identity theft monitoring for customers, and a restriction on selling or transferring genetic data in any subsequent bankruptcy unless the recipient is a qualified domestic entity that adopts TTAM's privacy policies.

Whether those commitments hold over time depends on the nonprofit's leadership — which is, for now, the same people who led the for-profit version.

What the Law Still Doesn't Cover

The 23andMe case exposed a specific gap in bankruptcy law. Section 363(b)(1)(B) of the Bankruptcy Code offers some protections for personally identifiable information, but the law fails to expressly include genetic data. This leaves consumers vulnerable to the permanent transfer of their biological identity without meaningful consent.

In response, a bipartisan group of senators introduced the Don't Sell My DNA Act, which would amend the Bankruptcy Code to require written notice and affirmative opt-in consent from consumers before any transfer of genetic data in bankruptcy proceedings. The bill has a House companion. It remains pending as of early 2026.

Several states — including New York, Oregon, and Virginia — have their own genetic privacy laws requiring specific consent before genetic data can be disclosed to third parties. The legal question of whether a bankruptcy sale constitutes a disclosure to a "third party" under those statutes was never fully resolved.

What You Can Still Do

If you are a 23andMe customer and have not already deleted your data, you can still do so. Log into your account, go to Settings, and navigate to the data deletion option. In California, the Genetic Information Privacy Act (GIPA) gives residents the right to force deletion of both their account data and their physical saliva sample.

Deleting your account removes your profile from the database going forward. It does not retroactively undo any research already conducted using your de-identified data, nor does it affect the breach data already in circulation from the 2023 incident.

If you were a 23andMe customer between May 2023 and October 2023 and received a breach notification, you may have been eligible for a class action settlement. The claims deadline passed in February 2026.

The Broader Lesson

The 23andMe bankruptcy is not primarily a story about one company's failure. It is a story about the gap between what people believe they are consenting to and what they are actually agreeing to.

When 15 million people mailed in a saliva sample, they were thinking about ancestry percentages and health risk factors. They were not thinking about bankruptcy law, or the legal definition of personally identifiable information, or what happens to their children's partially-encoded genetic data when a company's share price falls to $1.27.

The data they created is permanent. The company that held it is gone in its original form. The legal framework that was supposed to protect it was not built for this.

That gap still exists. The Don't Sell My DNA Act would close part of it. Until it passes — if it passes — the terms of service you click through when you sign up for any consumer genetics service contain the same language 23andMe's did.

It may be worth reading them.