What Does Regeneron’s Purchase of 23andMe Mean for Privacy?

Biotechnology firm Regeneron Pharmaceuticals intends to purchase most assets of bankrupt genetics testing firm 23andMe, pending approval from regulators and the bankruptcy court for $256 million. The company promised to comply with 23andMe’s consumer privacy policies and share its plans for the use, privacy and security of DNA data belonging to millions of people.

See Also: Top 10 Technical Predictions for 2025

23andMe Holding Co. in its March bankruptcy filing in a Missouri federal court said it had $277.42 million assets and $214.7 million in debts. Before its bankruptcy filing, 23andMe claimed on its website to have 15 million customers worldwide.

Tarrytown, N.Y.-based Regeneron said, as the winning bidder in the bankruptcy auction for California-based 23andMe, the company plans to acquire 23andMe’s Personal Genome Service, Total Health and Research Services business lines, its Biobank and associated assets and to continue all consumer genome services uninterrupted.

23andMe’s telehealth business, Lemonaid Health, is not part of the deal and that subsidiary will “wind down in an orderly manner, subject to and in accordance with the agreement,” 23andMe said in its statement about the deal.

The transaction is expected to close in the third quarter of 2025, subject to court and regulatory approvals and other customary closing conditions, Regeneron said.

Regeneron “intends to ensure compliance with 23andMe’s consumer privacy policies and applicable laws with respect to the treatment of customer data,” the company said.

“Regeneron is prepared to detail the intended use of customer data and the privacy programs and security controls in place for review by a court-appointed, independent customer privacy ombudsman and other interested parties,” the company said.

Earlier this month, the U.S. Trustee Office handling the 23andMe bankruptcy appointed Neil Richards, a law professor at the Washington University School of Law, as the independent consumer privacy ombudsman, or CPO, for the case.

23andMe said that as part of the court-supervised sale of the company’s assets, 23andMe required all bidders to guarantee that they will comply with the company’s privacy policies and applicable law.

“While the transaction aligns with 23andMe’s privacy statement, the court-appointed CPO will also conduct an examination of the transaction and the impact, if any, on consumers’ privacy if the transaction is approved, taking into account the privacy and security program of the proposed acquirer, and present a report to the court by June 10,” 23andMe said.

As for Regeneron, the company has “a proven track record of safeguarding personal genetic data, and we assure 23andMe customers that we will apply our high standards for safety and integrity to their data and ongoing consumer genetic services,” Dr. George Yancopoulos said, co-founder, board co-chair, president and chief scientific officer of Regeneron, in a statement.

Regeneron, a company started more than 30 years ago, has long tapped “the power of DNA” for drug discovery efforts, including treatments to prevent blindness, for allergic diseases such as asthma to atopic dermatitis, several forms of cancer, as well as Ebola and COVID-19, the company said.

23andMe will be operated as a wholly owned direct or indirect subsidiary of Regeneron and continue operations as a personal genomics service, Regeneron said.

Regeneron Statement

A Regeneron spokesperson in a statement to Information Security Media Group said the objectives for the acquisition “are to help 23andMe deliver and build upon its mission to help those interested in learning about their own DNA and how to improve their personal health, while furthering Regeneron’s efforts to use large-scale genetics research to improve the way society treats and prevents illness overall.”

Regeneron will provide further details on its plans for customer data use and data privacy and security protocols as part of the ongoing 23andMe bankruptcy court proceeding, the spokesperson said. “More information will thus be available as we approach and complete deal closing, anticipated to be in the third quarter of this year,” she said.

“What I can share at this point is some information about how we currently use genetic data in our drug development efforts,” she said.

The company’s Regeneron Genetics Center, founded 12 years ago, has formed collaborations with more than 150 healthcare and research institutions around the globe, she said.

“Through these collaborations, we access and sequence DNA from nearly 3 million consented volunteers for large-scale genetics research. Much of this data is also linked to de-identified health records,” she said.

“By pairing genomic and phenotypic data, we find insights that can lead to the identification of new drug targets, improved clinical trial designs and basic findings about the biological causes/deterrents of disease,” she said. “We use this information to inform our drug development programs, as well as publish findings that progress broader scientific and medical knowledge.”

Regeneron customers retain control over their personal data, and mechanisms for deleting 23andMe data will remain in place after deal closing as per current practice and as required by various jurisdictions, she said.

Privacy Worries

23andMe’s bankruptcy filing in March sparked a flurry of privacy warnings from state regulators who advised consumers to consider deleting their data from the company due to the uncertainty of who might acquire the troves of genetic and ancestry data, and how that data might be used (see: 23andMe Bankruptcy: What Does it Mean for Data Privacy?).

Many of those regulators, as well as 23andMe itself, provided consumers detailed instructions on how individuals can delete their data from the company’s systems. 23andMe did not immediately respond to ISMG’s request for information about the number of consumers that have deleted their data since the company’s bankruptcy filing.

Regulatory attorney Andrew Crawford of the nonpartisan, nonprofit advocacy group Center for Democracy and Technology said the purchase of 23andMe by Regeneron raises some potential privacy concerns, despite the companies’ pledges.

“While it is good to hear Regeneron publicly commit to keeping 23andMe’s consumer privacy policies, that’s no guarantee that Regeneron won’t change those terms in the future,” he said.

“Regeneron plans to use 23andMe’s customer data for the development of new drugs and treatments,” he said. “I doubt most 23andMe customers signed up for that service to help drug makers. They wanted to learn about themselves,” he said.

“Unfortunately, it is still up to each 23andMe user to make sure they are comfortable with Regeneron’s practices and data uses,” he said.

Meanwhile, Crawford said he’s eager to see Regeneron’s intended uses and detailed privacy and security protocols. “For example, what types of consumer data will they collect and retain? How closely do Regeneron’s data and privacy practices align with existing 23andMe practices?” he said.

“It is promising that Neil Richards, a well-known privacy scholar, was put in place as the customer privacy ombudsman,” Crawford said about the Office of the U.S. Trustee’s naming Richards to that position for the 23andMe bankruptcy case in May.

“While it is a small relief that the purchaser is not a large data broker or an advertiser, there are still many questions I have about how Regeneron will use and potentially share 23andMe’s customer data,” Crawford said.

That includes the advantage, if any, that 23andMe customers receive from Regeneron now having some of their most sensitive information, he said.

“Will those customers be able to access and delete their data once Regeneron has control of it? Does Regeneron have current or future plans to share 23andMe customer data with other third parties? Will Regeneron place any limits around the internal access and use, to help avoid data breaches or unauthorized access/disclosure of people’s most sensitive data,” he said. These are all unanswered questions for now, he said.

“Folks signed up for 23andMe to learn about themselves and their families, not to enrich drug manufacturers,” he said. “23andMe’s data is valuable and any buyer in a bankruptcy proceeding was likely looking for a way to monetize this trove of very sensitive consumer data.”

The sale of 23andMe’s consumer information to Regeneron “should be of comfort because the outcome could have been far more worrisome,” said privacy attorney David Holtzman, retired founder of consultancy HITprivacy LLC.

“The Trump administration’s Consumer Financial Protection Bureau recently ditched plans for new rules designed to limit the ability of U.S. data brokers to sell sensitive information about Americans, including the health profiles of consumers that could be derived from DNA,” he said. “Had a data broker purchased the 23andMe’s DNA data files, consumers risked seeing their data used in ways that were not anticipated or agreed upon when originally submitted for the purposes of learning about genetics and ancestry.”

Prior Hack

As for 23andMe, the company has had its own data privacy and security challenges in the past.

In October 2023, the company confirmed a credential-stuffing incident involving information scraped off the profiles of 23andMe users who opted in to using the company’s DNA Relatives feature. DNA Relatives connects 23andMe users with genetic distant relatives – or other 23andMe users who share bits of DNA (see: 23andMe Investigation Apparent Credential-Stuffing Hack).

The company at the time said the intruder was able to access about 14,000 user accounts, less than 1% of the company’s then existing 14 million 23andMe customers. But threat actors claimed on the darkweb to have stolen “20 million pieces of code” from 23andMe.

According to media reports, the leaked data that was put up for sale pertained to 23andMe users with certain DNA ancestry backgrounds, including 1 million lines of code about people with Ashkenazi Jewish DNA ancestry (see: 23andMe Says Hackers Stole Ancestry Data of 6.9M Users).