When the Company Dies, the DNA Doesn’t
What happened: California’s attorney general is suing 23andMe’s new owners over the 2023 breach that exposed customers’ genetic data. The lawsuit transferred to the buyers along with the company.
What’s really going on: When 23andMe changed hands, the new owners didn’t just buy a brand and a customer list — they bought a liability that can’t be deleted, attached to data that can’t be re-secured. The breach already happened; the genome is already out. What the sale actually moved was the question of who pays for it, and the answer is now “whoever holds the asset,” not “whoever caused the harm.” That severs the link people assumed existed: that the company you trusted with your DNA would be the one accountable for losing it. Genetic data turns out to be the one consumer record where the harm compounds forever — you can reissue a credit card, you cannot reissue a genome — and it travels with whoever owns the database next.
Why most people are missing this: They think a breach is an event a company recovers from. For genetic data, it’s a permanent condition that gets re-inherited every time the company is bought, sold, or liquidated.
The Take: Once you’ve sequenced yourself into a private database, you don’t have customers anymore — you have hostages, and the ransom note gets forwarded to each new owner.
Why it matters: Every genetics, health, and biometric company now carries a liability that survives bankruptcy and follows the data through acquisition. Expect that risk to start pricing the deals — and to make distressed biodata firms either radioactive or cheap enough that someone buys the lawsuit just to get the genomes.
What This Signals
Genetic and biometric databases will be valued and litigated like environmental liabilities — toxic assets someone owns whether they want to or not, with cleanup costs that never reach zero.
Regulators will increasingly chase the current owner instead of the original collector, which makes the safest move for a buyer destroying records they may not be legally allowed to destroy — and that standoff becomes the next fight.
The phrase “delete my data” is being exposed as a promise no company can keep through bankruptcy, pushing the real question upstream: whether this data should have been collected and centralized at all.
Quick Byte
When a US company liquidates, customer data is treated as a saleable asset in bankruptcy unless its own privacy policy explicitly forbids it — a carve-out most policies never included. The genome ends up governed by the same paragraph as the office furniture.
THREAD
Your DNA didn’t get breached once in 2023. It gets re-breached every time the company holding it is bought or sold — because the data transfers, and so does the lawsuit.
23andMe’s new owners inherited a customer database and a state attorney general in the same transaction. That’s the real product of a genetics company: a permanent liability with a customer list attached.
If a company can’t delete your genome through bankruptcy, what exactly were you agreeing to when you clicked “delete my account”?
POST: A genetics company is not a service that protects your DNA. It’s a database that owns it — and ownership transfers. When 23andMe changed hands, the breach, the data, and the lawsuit all moved together to people you never trusted with any of it. That’s not one company’s failure. That’s what handing your genome to a private balance sheet actually means.
TAKE: There is no such thing as deleting your DNA from a company that can be sold. The moment you sequenced yourself into a private database, you made a permanent decision on behalf of every relative who shares your genes and never agreed to any of it.