23andMe hacking may have affected 6.9 million+ users–not 14,000–in massive PII breach

December 6, 2023 | by

What was 14,000 may affect up to 6.9 million users. Genetic testing and information company 23andMe is now admitting that the October data breach that affected 0.1% of their 14 million customer base, or 14,000 users per their SEC filing last Friday, may have exposed the records and personally identifiable information (PII) of 6.9 million users, about half their customer database. In later replies to industry publications TechCrunch and WIRED, a 23andMe spokesperson admitted that hackers accessed the PII of about 5.5 million people who opted-in to 23andMe’s DNA Relatives feature. Add into that an additional 1.4 million “had their Family Tree profile information accessed”. an enhancement to DNA Relatives. The DNA Relatives breach stole individual and family names, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location. Family Tree information exposed display names, relationship labels, birth year, self-reported location, and whether the user decided to share their information.

(Editor’s note: The size of the breach is enough to revive this vintage picture of WWF/WWE wrestler Hulk Hogan in his ‘Hulkamania Running Wild’ persona.)

23andMe has attributed the massive breach to credential stuffing–the reuse of leaked login credentials from other websites and services. But many users have gone public with the information that their logins were unique to 23andMe. 23andMe’s credibility on this issue took a beating from none other than the US National Security Agency (NSA) cybersecurity director Rob Joyce. He wrote on his personal X account that “They disclose the credential stuffing attacks, but they don’t say how the accounts were targeted for stuffing. This was unique and not an account that could be scraped from the web or other sites.” In fact, Mr. Joyce creates a unique email for each account. The cause for the wider breach may lie in data sharing with a partner, MyHeritage, in adding functionality to Family Tree. It seems clear that credential stuffing wasn’t the only technique used to break into the 23andMe user data.

23andMe, as well as Ancestry.com and MyHeritage, now require or strongly recommend two-factor authentication for access to personal accounts. About time. They have also changed terms of service to “encourage a prompt resolution of any disputes”.

What is distressing is that the hacks on the retail side of 23andMe are only the tip of the iceberg–that the really valuable part of their genetic data goes to pharmaceutical companies. Cyberthieves know that motherlode is incredibly valuable to bad actors like the Chinese and the Chinese Communist Party, both key markets for stolen health data. (Developing)

Serious swerving indeed: 23andMe buys Lemonaid Health for $400 million

October 27, 2021 | by

From genomic testing to telehealth and prescription delivery is quite a swerve. Or a pivot, as they say. 23andMe, the richly financed (via a February SPAC with Virgin Group) and valued ($4.8 billion market cap) DNA tester, originally marketed to trace ancestry and analyze for health information, announced the acquisition of Lemonaid Health. A telehealth company that markets their quick diagnosis of conditions such as mental health, erectile dysfunction, thyroid, and sinus infections with fast delivery of medications, it’s quite a changeup for 23andMe, at least on the surface.

But, as this Editor opined as far back as 2018 in advocating a Genomic Bill of Rights and revisited in 2020, consumer genetic testing for the above as a model was finito just before the pandemic started. (When was the last time you saw a formerly lederhosen-clad actor trumpeting their new kilt or imagining their connection to famous dead people?) There were plenty of questions about the ethics of consumer-driven genomic testing as practiced by 23andMe and Ancestry.com. Consumers found it difficult to opt-out of how their genomic data was being used commercially, and understanding if it was being protected, as it likely was not.

The real gold for 23andMe is, of course, selling all that data to pharmaceutical companies. So in that context, Lemonaid, as really a marketer of meds, is not the stretch that it seems on the surface. But, there’s more. For 23andMe, which has consistently covered its cake of business aims in a thick and sticky icing of customer-focused mission, from their blog and signed by CEO Anne Wojcicki: “We are acquiring Lemonaid Health so that we can bring true personalized healthcare to 23andMe customers. Personalized healthcare means healthcare that is based on the combination of your genes, your environment, and your lifestyle — with recommendations and plans that are specific to you.” Meanwhile, Lemonaid, widely advertised online and on TV with quick telehealth consults, brings in the cash.

The transaction was announced at $400 million in a cash and stock deal, with 25% of the total deal value in cash and the rest in shares. Paul Johnson, CEO and co-founder of Lemonaid Health, will become the General Manager of the 23andMe consumer business and will continue to run Lemonaid Health. Ian Van Every, Managing Director, UK and also a co-founder, will manage and grow UK operations. According to Crunchbase, total investment in Lemonaid was a relatively small $57.5 million in five rounds since 2015, up to a Series B. Release. Reuters

23andMe will go the SPAC route with Virgin Group in a $3.5 bn valuation

February 5, 2021 | by

Have we reached a peak? 23andMe, the genomic testing and genome research company, has struck gold, oil, and platinum in a merger with ‘blank check’ SPAC (special purpose acquisition company) VG Acquisition Corp. VG was formed by Richard Branson’s Virgin Group for the purposes of the acquisition. By end of Q2, the company will be trading on the NYSE under the ticker symbol ME. The company’s valuation is estimated as $3.5 bn.

23andMe’s SPAC follows on December’s $85 million Series F round, bringing their total funding pre-SPAC to about $900 million. The transaction will result in 23andMe having around $984 million in cash to invest. The deal also includes the private investment in public equity (PIPE) transaction in which Richard Branson and 23andMe founder/CEO Anne Wojcicki will invest $25 million each. There is no disclosure of the status of GSK’s ongoing investment in 23andMe, reportedly 50 percent, and Sequoia Capital’s. 

For 23andMe, this is a massive turnaround–and exit from stagnant private ownership–from their precarious state one year ago, which required layoffs of 14 percent of their staff, about 100 people. While the direct-to-consumer testing for diseases and ancestry model fell apart after holiday 2019 (TTA examined why here), the gold in genomics is monetizing that data with large drug and clinical trial companies for drug discovery and therapies. With GSK, they began clinical trials of a cancer drug last year, as well as licensing its first drug candidate to Spanish dermatology drugmaker Almirall. 

Going public via a SPAC and with a PIPE is definitely a one-up on rival Ancestry.com. Last August, they sold 75 percent of the company to Blackstone Group for $4.7 bn. TechCrunch, Becker’s Health IT, Financial Times

Soapbox: Big Genomics and DNA testing–why we need a Genomic Data Bill of Rights

August 29, 2018 | by
[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/03/DNA-do-not-access.jpg” thumb_width=”150″ /]This week, consumer genomics testing company 23andMe announced that outside app developers would no longer have access to raw genomic data, as they have had since 2012. They will continue to have access to data through reports generated by the company. 23andMe cited privacy concerns–wisely, in this Editor’s opinion, to safeguard this burgeoning area of digital health. Seeking Alpha

TimiHealth is an affected firm that seeks to move customer data, with consent, to an allegedly more secure blockchain platform, TimiDNA, citing 23andMe’s monetization of their data and CMS’ Blue Button initiative, a recent meeting in which 23andMe participated as a developer. Blasting away, TimiHealth stated that “It flies in the face of the mission of CMS, and the MyHealthEData initiative and the goal of putting patients first.” Release

However, the consumer marketing of DNA testers such as 23andMe, Ancestry.com, and smaller competitor Helix, has already led to multiple privacy questions on how the data of millions are being used and sold. 

This Editor would feel safe in assuming that most customers do not know nor particularly care that GlaxoSmithKline (GSK) as of July owns 50 percent of 23andMe via a $300 million investment. Both have announced a four-year partnership to use the 23andMe genetic database for drug research. For instance, the LRRK2 gene has been linked to some forms of Parkinson’s disease. GSK needs about 100 for a trial sample of one, but 23andMe has already provided 250 Parkinson’s patients who have agreed to be re-contacted for GlaxoSmithKline’s clinical trials. Scientific American

While most data is de-identified, you can agree to be contacted for further use in clinical trials, which is fine–but most users do not know how to opt out. It’s a surprisingly tricky process, as outlined in this useful Business Insider article, and you may not be able to withdraw all your data or have your saliva sample destroyed.

Data can be hacked and reprocessed. Three years ago, TTA explored reports on exactly how de-identified genomic data could be made identifiable through the ‘nefarious use’ of genomic data sets available through research networks [TTA 31 Oct 15].

Despite the trite, simplistic, and condescending commercials by Ancestry.com on how someone found they had ethnic or national roots they never dreamed of, or were related to royalty, both giving meaning to their presumably mundane life, genetic info has value beyond the feel-good. It’s long past time for a plain language Genomic Data Bill of Rights.

  • Individuals should know how their personal genomic data is being used and how it is being protected
  • They should be able to opt out of use, identified and de-identified, easily–and not have to jump through hoops
  • Reporting/interpretation should also have integrity, consideration, and respect that it may upset a person or that it may not be interpreted correctly, which is a fundamental problem 
  • A more radical view is that the same individuals should be compensated when their data is used

This Editor will settle for the first two bullets, for now.