Pharmaceutical giant Regeneron has promised to prioritise the “ethical use” of the sequenced DNA data of more than 15 million former customers of bankrupt DNA testing firm 23andMe, which it has agreed to acquire for $400 million ($US256m).
The fate of that data – which was collected from home saliva testing kits that customers sent for DNA sequencing and ancestry matching – has been a central concern since 23andMe filed for bankruptcy in March after a 2023 data breach compromised 6.9 million users’ data.
Protecting the security of that data was a court-mandated requirement for any buyer of the firm, and San Francisco based Regeneron committed to protect 23andMe’s database with privacy policies, legal compliance, and “security controls… designed to protect such data.”
In 1988 Regeneron “bet [its] future on the power of DNA,” chief scientific officer George D. Yancopoulos said as the deal was announced, citing its successes in using DNA studies to develop treatments for blindness, asthma, atopic dermatitis, cancer, Ebola, and COVID-19.
The Regeneron Genetics Center has a “proven track record of safeguarding personal genetic data”, he added in promising 23andMe customers that the new owner “will apply our high standards for safety and integrity to their data and ongoing consumer genetic services.”
The deal “enables the mission of 23andMe to live on,” 23andMe board of directors’ chair Mark Jensen agreed, “while maintaining critical protections around customer privacy, choice, and consent with respect to their genetic data.”
Radars up for another data breach
The downturn in demand for DNA testing came after the data breach – which particularly targeted users of Chinese and Ashkenazi Jewish heritage – saw the company trim 40 per cent of its staff and undertake an extensive restructuring that ultimately proved futile.
The company blamed customers for poor password security that allowed it to be compromised through a credential stuffing attack, which targeted users who had opted in to the company’s DNA Relatives feature, which automatically shares some data with others.
For all Regeneron’s promises, the acquisition “raises significant data privacy concerns,” privacy professional Richart Ruddie warned in his analysis of the deal, in which he warned that transferring 23andMe’s “highly sensitive asset… amplified several privacy risks”.
These include concerns around issues such as consent and transparency; data security during integration of the data into Regeneron’s systems; regulatory gaps due to the lack of a US federal privacy law; and the need for third-party oversight.
Regeneron, Ruddie said, should strengthen the way it gathers and maintains customer privacy consents, audit 23andMe’s cybersecurity infrastructure and adopt “industry-leading encryption and access controls”, and help customers delete their genetic data.
It should also work actively with the court-appointed Consumer Privacy Ombudsman – charged with ensuring Regeneron does the right thing by 23andMe’s data – as well as publishing public compliance updates and advocating for better genetic laws.
The acquisition “presents a pivotal moment for genetic data privacy,” Ruddie said, noting that “while the deal promises advancements in genomics-driven medicine, it also underscores the fragility of consumer trust in the absence of robust privacy protections.”
Consumer trust is a fragile thing
Because genetics data isn’t covered under US HIPAA healthcare laws, privacy advocates want consistent laws to protect genetics data – which, despite 23andMe’s problems, is becoming even more common through services like MyHeritage’s new Ancient Origins testing.
The use of genetic data has long been contentious in Australia, where legal experts and genomics bodies have wrestled with the need for changes to privacy laws, rules for doctors, and even the question of whether genetic data can be treated as ‘personal information’.
Yet with the ACCC broadly supporting the need for consumers to have better visibility over the collection and management of their data, genetics companies’ ability to demonstrate trustworthiness has never been more important.
A 2023 study, for example, found that 74 per cent of Australians are uncomfortable with their personal information being shared with or sold to other companies – with 70 per cent of Australians feeling they have little or no control over how their data is disclosed.
More recently, a UBC Saunder study found that consumers are half as likely to share their data with companies if they are told the data will be monetised.
“People were shocked” when told that a company would use their money to make money, study author Dr Joy Wu said.
“The bottom line is [that] people don’t like it when others make money off their data.
“It’s as simple as that.”
