If you’ve ever submitted your DNA to 23andMe, now is the time to act. The company has filed for bankruptcy, and buried deep in their user agreement is a disturbing clause: they can sell your genetic data to whoever offers the highest bid. And that’s not a hypothetical—at one point, a major pharmaceutical company was the highest bidder for millions of profiles. Your DNA, including markers for disease risk, ancestry, and physical traits, could soon belong to corporations, insurers, or even foreign governments—all without your explicit consent.

Here’s the problem: HIPAA doesn’t apply. Genetic testing companies like 23andMe aren’t bound by the same privacy protections as your doctor’s office. That means your most intimate biological data—your blueprint—can be sold off with fewer restrictions than your medical records from a routine check-up. Imagine a world where insurers hike your rates based on a gene you didn’t know you had. Or a world where governments use inherited markers to surveil or discriminate. That world is a lot closer than you think.

But you still have a window to protect yourself. The good news? You can download your data and delete your account before it changes hands. This includes requesting that your physical DNA sample be destroyed. Here is a step-by-step guide:

To completely delete your data:

1. Log into your 23andMe account and navigate to “Settings.”
2. Scroll down to the bottom to “23andMe Data” and click “View.”
3. Scroll down to the bottom of this page and add your birthdate. Click “Delete Your Data.” You will then be taken to another page where you will choose “Permanently Delete Data.” This begins the irreversible process of removing all your genetic information from 23andMe’s systems.
4. You should receive a message stating that 23andMe received your deletion request, but you need to confirm it by clicking a verification link sent to your email address. This two-step process is designed to prevent accidental deletions.
5. Access the email titled “23andMe Delete Account Request.” Click the “Permanently Delete All Records” button at the bottom of the email. You will be taken to a confirmation page that states “Your data is being deleted.”
6. After completing these steps, you should receive a final confirmation email from 23andMe acknowledging that your data deletion request has been processed. Keep this email as documentation of your deletion request.
7. If you don’t receive confirmation within a reasonable timeframe (typically 30 days), contact 23andMe customer service directly to ensure your deletion request was properly processed.

The implications of this go far beyond 23andMe. This moment is a wake-up call for every person who’s handed over their DNA to a private company. Even if you didn’t, a close relative might have—and your genetic data overlaps with theirs. Once it’s out there, it’s nearly impossible to reclaim.

The 23andMe bankruptcy shows us how vulnerable we really are when it comes to genetic privacy. So take control while you still can. Download your data. Delete your account. And demand that companies treat your DNA with the same respect as your identity—because that’s exactly what it is.

Concerned about how your team is handling security threats like this—and the dozens more we face every day? Let’s start the conversation. Reach out at [email protected].