As the once-celebrated genetic testing company 23andMe navigates bankruptcy proceedings, U.S. lawmakers are raising serious concerns about the security and future of the company’s vast collection of genetic data. A congressional investigation is now underway, as fears grow that millions of Americans’ most personal and permanent data could fall into the wrong hands.
The House Committee on Energy and Commerce, led by Republican Reps. Brett Guthrie (Ky.), Gus Bilirakis (Fla.), and Gary Palmer (Ala.), has formally requested answers from 23andMe’s interim CEO Joe Selsavage. In a letter sent on April 18, they demanded a response by May 1, pressing the company to explain how it plans to protect customer information during and after its Chapter 11 bankruptcy process.
This inquiry adds to the mounting scrutiny the company faces from other federal bodies, including the House Oversight Committee and the Federal Trade Commission, both of which have raised similar alarms in recent weeks.
From Genetic Breakthrough to Financial Breakdown
23andMe shot to fame as a trailblazer in consumer DNA testing. Its affordable, mail-in kits gave people access to unprecedented insights into their ancestry, health traits, and genetic predispositions. At its peak, the company was valued at $6 billion and hailed as a biotech disruptor.
But despite early success, the company struggled to diversify its business. Its plans to expand into medical research and drug development failed to bring in consistent revenue. In March 2025, facing mounting financial challenges, 23andMe filed for Chapter 11 bankruptcy in Missouri federal court. Now, as its assets are being prepared for sale, the future of its massive genetic database is uncertain — and that’s what has lawmakers and privacy experts deeply worried.
The Deeply Personal Nature of DNA
What sets 23andMe apart from other tech or health companies is the kind of data it handles. Genetic data isn’t just another line in a spreadsheet — it’s the biological blueprint of an individual. DNA is immutable, uniquely identifiable, and carries not just personal, but familial and ancestral information.
Back in 2023, 23andMe suffered a massive data breach that affected roughly 7 million users. That incident already put the company in the crosshairs of privacy advocates. The fear now is that with its data potentially changing hands through a sale, there may be no effective guardrails in place to ensure it doesn’t fall into unsafe or unethical use.
“As there is no comprehensive federal law safeguarding consumer data in such cases, we are extremely concerned about what might happen to Americans’ most sensitive personal information,” the lawmakers wrote.
Gaps in Existing Privacy Laws
While health information held by traditional providers is typically protected under HIPAA (the Health Insurance Portability and Accountability Act), that law does not apply to companies like 23andMe, which operate outside the conventional healthcare system. That legal blind spot leaves customers vulnerable — especially during events like bankruptcies, where assets are up for sale.
Lawmakers are particularly uneasy about what could happen if the company is sold to an entity that doesn’t have the same privacy standards, or worse, seeks to exploit the genetic data for financial gain or surveillance.
23andMe Vows to Uphold Privacy Standards — But Questions Remain
The company has publicly maintained that customer privacy will not be compromised during the bankruptcy process. In a statement from March, 23andMe said any potential buyer must agree to abide by its existing privacy policy and relevant laws.
“To constitute a qualified bid, potential buyers must… agree to comply with 23andMe’s consumer privacy policy and all applicable laws with respect to the treatment of customer data,” the company stated.
23andMe also says customers can still delete their accounts and associated data. However, the lawmakers noted that some users have reported difficulties in doing so — raising further doubts about whether the company is truly maintaining transparency and control over user data.
“Regardless of whether the company changes ownership, we want to ensure that customer access and deletion requests are being honored,” the representatives wrote.
A Bigger Picture: Genetic Data in the Digital Age
The 23andMe case is not just about one company in financial trouble. It raises broader questions about the future of genetic privacy in a rapidly digitizing world. Direct-to-consumer DNA services operate in a legal gray area, yet they collect some of the most intimate data imaginable.
With millions of people having submitted their DNA to such services — often without fully understanding how their data could be stored, used, or sold — regulators are starting to take a harder look at whether current protections are enough.
The House Committee on Energy and Commerce expects a detailed response from 23andMe by May 1. Lawmakers want to know how the company intends to secure user data, honor deletion requests, and ensure any future owner follows strict privacy rules.
