What 23andMe business troubles could mean for millions of users' genetic data

The company is laying off 40% of its workforce.

The financial struggles of genetic testing and ancestry company 23andMe are raising questions about the security of customers' DNA and other data.

The company announced Monday that it would lay off around 40% of its workforce -- about 200 employees -- and close its drug development arm in an attempt to cut costs.

On Tuesday, 23andMe released its latest earnings report, showing revenue dipped 12% in the last quarter and share prices fell.

The company has faced additional struggles over the past several months, including the resignations in September of the seven independent directors of the board.

Since its founding in 2006, 23andMe has sold more than 12 million of its DNA kits, which use a saliva sample to extract DNA that is then analyzed, according to the company's website.

Here are four questions answered about 23andMe and users' data.

1. What has 23andMe said about customers' genetic data amid its struggles?

A 23andMe spokesperson told ABC News the company is "committed to protecting customer data."

"We have strong customer privacy protections in place. 23andMe does not share customer data with third parties without customers’ consent, and our Research program is opt-in, requiring customers to go through a separate, informed consent process before joining. Further, 23andMe Research is overseen by an outside Institutional Review Board, ensuring we meet the high ethical standards for the research we conduct. Roughly 80% of 23andMe customers consent to participate in our research program, which has generated more than 270 peer reviewed publications uncovering hundreds of new genetic insights into disease," the spokesperson said in a statement Wednesday.

"In addition to our own strict privacy and security protocols, 23andMe is subject to state and federal consumer privacy and genetic privacy laws that, while similar to HIPAA, offer a more appropriate framework to protect our data than privacy and security program requirements in HIPAA. Although state privacy law protections apply to residents of certain states, 23andMe took the opportunity to make improvements for all 23andMe customers globally," the spokesperson added. "We believe we have a transparent model for the data we handle, rather than the HIPAA model employed by the traditional health care industry that allows broad exemptions and often unrestricted use and disclosure of protected health information (PHI) when used for treatment, payment and operations purposes, and where consent, opt-out and opt-in concepts are generally not imposed."

The spokesperson continued, "We are committed to protecting customer data and are consistently focused on maintaining the privacy of our customers. That will not change."

The company states on its website that it does not sell or share customer's personal information to third parties without the customer's consent, that it does not voluntarily share data with law enforcement, and that it provides an opt-in option for customers who want to participate in research.

2. Is the genetic data collected by 23andMe protected in the same way as health records?

No. 23andMe is considered a direct-to-consumer genetic testing company, and transactions with the company are considered commercial, not medical.

Because 23andMe is not a medical company, customers' personal information is not protected under the HIPAA Privacy Rule, which affords privacy protections to health records.

3. Has 23andMe had data breaches before?

In 2023, the company experienced a massive security breach that exposed the data of nearly 7 million users.

23andMe said at the time that customer profile information shared through the company's DNA Relatives feature had been accessed without authorization.

The company agreed in October to pay a $30 million cash settlement in a class-action lawsuit stemming from the data breach, according to The Associated Press.

Following the breach, the company also said it required every customer to reset their password and began requiring all customers to use two-step verification for login.

4. Is there anything consumers can do?

As a general rule, consumers who have shared their DNA with any direct-to-consumer genetic testing company should pay attention to the company over the years, as companies have the right to change their privacy policies and business practices.

Companies, 23andMe included, also have a responsibility to notify consumers of changes and get "consumers' affirmative express consent for any new uses of their data," according to the Federal Trade Commission, the government agency that conducts oversight of direct-to-consumer genetic testing companies.

Editor's note: This report has been updated with a statement from 23andMe.