The Data Dilemma: What 23andMe’s Bankruptcy Means for the Future of Medical Data Ownership

Medical Data as an Asset: A Legal Grey Zone

Unlike traditional bankruptcy cases where assets are clearly defined—real estate, trademarks, patents—the status of personal health data remains legally ambiguous. In most jurisdictions, HIPAA protects health information under privacy law, but it doesn’t directly address whether such data can be monetized or transferred during corporate liquidation.

Courts have grappled with related questions in past cases:

• In re Borders Group, Inc. (2011): Borders sought to sell its customer database during bankruptcy, but the court restricted the sale of personal information, citing the company’s privacy policy and consumer expectations.
• FTC v. Toysmart.com (2000): Toysmart tried to sell customer data after filing for bankruptcy, but the FTC intervened, arguing that doing so would violate the company’s published privacy commitments.

These cases suggest that a company’s own privacy policy plays a pivotal role in whether personal data can be sold. 23andMe’s terms of service state that genetic information is stored, may be shared for research, and may be transferred in the event of a merger or acquisition—but a bankruptcy scenario pushes the legal framework into murky waters.

The Commodification of Health Data

Data—especially medical data—is now one of the most valuable assets a tech company can hold. In 23andMe’s case, the company has already partnered with pharmaceutical firms like GlaxoSmithKline (GSK) to monetize its database for drug discovery and population-level research.

But what happens if a third-party buyer in bankruptcy court wants access to that data not for research—but for advertising, insurance underwriting, or AI model training? The lack of clear federal precedent leaves this possibility dangerously open.

The case could prompt courts to determine, for the first time, whether genetic and health data:

• Can be treated as a monetizable corporate asset
• Must be protected under public health or privacy laws
• Or occupies a unique legal category requiring new legislation

Implications for the Average Consumer

The fallout from a 23andMe bankruptcy could impact millions who submitted DNA samples under the assumption of long-term confidentiality. Even if data is anonymized or encrypted, re-identification risks remain—especially with the growing power of AI and genomic computing.

Consumers are now confronting a sobering reality: Your DNA may outlive your consent. And unless new legal protections are established, your data could be transferred without your approval.

This isn’t just a 23andMe issue. It sets the stage for how similar platforms—whether for fitness, mental health, or chronic disease monitoring—might treat user data in future financial crises.

Policy Recommendations and the Legal Future

Policymakers must act quickly to define the legal status of genetic and medical data in bankruptcy law. Potential interventions could include:

• Amending HIPAA to address bankruptcy and liquidation scenarios
• Requiring companies to segregate personal data from monetizable assets
• Mandating data destruction or re-consent before third-party transfer
• Creating an independent data stewardship authority to oversee sensitive transactions

Ultimately, a new legal category for biometric and medical data assets may be required—one that recognizes their dual nature as both scientifically valuable and personally sacred.

Final Thoughts

The collapse of 23andMe would be more than a corporate failure. It would be a reckoning for the digital health economy, forcing regulators, courts, and consumers to decide: Is your DNA just data—or something more?

We’ve reached a turning point. In a world where personal data is the new oil, we must decide how—and whether—to protect what is arguably the most personal data of all: our biology.