US lawmakers sound alarm over genetic data vulnerabilities in 23andMe bankruptcy case

A House Committee on Oversight and Government Reform hearing this week marked a critical juncture in the national conversation about the intersection of biotechnology, privacy, and national security.

The hearing was prompted by the impending bankruptcy sale of the commercial genetic testing company 23andMe, and marks a critical turning point in how the U.S. confronts the implications of biometric data, AI, and corporate accountability in the digital age.

Whether through legislation, regulation, or public pressure, the message from lawmakers was unmistakable: Americans’ most intimate information cannot be auctioned off without consequence. The future of national security may very well depend on how we protect our genes.

Further muddying the waters, twenty-seven states and the District of Columbia sued 23andMe in U.S. Bankruptcy Court in the Eastern District of Missouri, arguing that 23andMe must have permission from every customer before their genetic data is sold off to the highest bidder.

The hearing on Capitol Hill Tuesday was convened amid growing public anxiety over the fate of one of the nation’s largest and most sensitive troves of personal DNA data. With over 15 million customers worldwide, 23andMe’s genetic database represents not only a revolutionary advancement in consumer health, but also a potential national vulnerability that’s been made even more precarious by the company’s bankruptcy proceedings.

Committee Chairman James Comer opened the hearing by saying the future ownership of 23andMe’s data assets is not merely a matter of commerce or restructuring, but it is a matter of national security. Comer outlined the urgent need to ensure that sensitive genetic information, much of it voluntarily contributed by American citizens, does not fall into the hands of foreign adversaries or entities that might exploit it for unethical or illegal purposes.

“To whoever ends up controlling the company, there are serious concerns about what will happen to this private information,” Comer said. “How will it be stored? What could it be used for? Could it end up in the hands of a foreign adversary, through direct investment or indirectly through future partnerships?”

Comer referenced past concerns stemming from 23andMe’s previous relationship with WuXi Healthcare Ventures, an investment arm linked to the Chinese biotechnology conglomerate WuXi AppTec, which itself has been associated with the Chinese Communist Party (CCP) and the People’s Liberation Army (PLA). Although 23andMe has since severed ties with that firm, the memory of that partnership has cast a long shadow over the current auction process.

A WuXi AppTec spokesperson told Biometric Update, “WuXi Healthcare Ventures is not and has never been a corporate venture arm of WuXi AppTec. WuXi AppTec was a limited partner in the WuXi Healthcare Ventures II fund, which held a less than 1% stake in 23andMe between 2015 and 2023. Like other limited partners, WuXi AppTec did not manage the fund or have authority to act on its behalf. WuXi AppTec is not part of, controlled by, or affiliated with the Chinese government, Chinese Communist Party or People’s Liberation Army.”

23andMe’s relationship with WuXi Healthcare Ventures dates back to a 2015 funding round in which the Chinese venture capital firm participated as one of several investors. That round raised approximately $115 million and valued 23andMe at $1.1 billion.

WuXi AppTec provides contract research, manufacturing, and testing services to pharmaceutical, biotech, and medical device companies, and plays a significant role in China’s state-supported push to become a global leader in life sciences and biotechnology. 23andMe has since publicly stated that the partnership with WuXi was terminated, and that the company has not conducted research in China, shared data with Chinese firms, or stored data outside of the United States.

Anne Wojcicki, co-founder and former CEO of 23andMe, reiterated during the hearing that all customer data remains stored domestically and that the company has never collaborated with Chinese companies on research or data access. “I want to be very clear, we have never conducted research in China or with Chinese companies,” she told the committee. “We have never provided any customer data to China. All data was stored in the United States. I have long advocated for heightened awareness of China’s ambitions in this space, and I am encouraged to see this issue finally receiving the national attention it deserves.”

Despite the severed relationship, the past involvement of WuXi Healthcare Ventures continues to draw scrutiny, especially given China’s strategic ambition to dominate genomics by 2035 and its track record of using genetic data for surveillance, including the mass collection and analysis of DNA from ethnic minorities like the Uyghur population. The 2015 investment serves as a case study in how early venture ties, even if dissolved, can invite lasting questions about data security, foreign influence, and the geopolitical stakes of the U.S. biotechnology sector.

The core concern addressed throughout the hearing is the possibility that foreign adversaries could indirectly obtain access to American genetic data, whether through direct acquisition, proxy investment, or subsequent partnerships. Genetic data is not just intimate; it is immutable and relational. Indeed, a single individual’s genome contains information that implicates their entire family tree. And in an era marked by increasing geopolitical competition, lawmakers and national security experts alike view the potential misuse of this data as a direct threat to U.S. interests.

The 23andMe lawsuit filed this week says “this data is exclusively personal and unique, representing [each] customer’s identity and no other human being. In addition, this exclusively personal data carries with it significant, sensitive information about others who share DNA and/or familial relationships. For example, this data can be used to identify and track those who are related to the 23andMe consumer – including future generations yet unborn. In other words, the magnitude of the data in this proposed sale stretches far beyond the 23andMe consumers, impacting those who have no awareness of the sale as well as humans who do not even exist yet.”

Interim 23andMe CEO Joseph Selsavage appeared before the committee to defend the company’s handling of the bankruptcy process and to reassure lawmakers that 23andMe has taken deliberate and transparent steps to protect customer data. He explained that the company, which voluntarily filed for Chapter 11 protection in March, has instituted safeguards to ensure that any new owner must comply with its existing privacy policies and relevant laws.

“At a time when science and technology are evolving faster than policy and public understanding, it is essential that companies like ours lead with accountability,” Selsavage told the committee, adding that “safeguarding the principles of ethics, privacy, and security … must guide innovation in the 21st century.”

Furthermore, he said the company requested the appointment of an independent consumer privacy ombudsman, a step he said is designed to add a layer of accountability to the evaluation of any proposed sale. Selsavage made clear that bids would not be accepted from companies based in or funded by countries of concern, including China, Iran, North Korea, and Russia.

The final stages of the sale process have been narrowed to two bidders: Regeneron Pharmaceuticals, a major U.S.-based biotech firm, and the nonprofit TTAM Research Institute, founded by Wojcicki. Both entities are domestic, but concerns remain about how either might use, retain, or monetize the genetic data at the core of the deal.

“Regeneron Pharmaceutical, Inc. entered into an asset purchase agreement to acquire 23andMe on May 19, 2025. The concerns surrounding the security of Americans’ genetic data are still outstanding as it is currently unknown what will happen to the data acquired from 23andMe,” the committee hearing announcement stated.

Wojcicki told the committee that her resignation as CEO was a deliberate step taken to avoid conflicts of interest during the auction process. She made it clear that if her nonprofit succeeds in acquiring 23andMe’s assets, her intent is to preserve the company’s foundational mission, which she said is empowering individuals with control over their own health data and democratizing access to genetic insights.

Despite these assurances, legal experts and national security scholars remain deeply skeptical. Margaret Hu, the Davison M. Douglas Professor of Law and Director of the Digital Democracy Lab at William & Mary Law School, provided some of the hearing’s most sobering commentary. She described the sale of 23andMe’s genetic database as a potential inflection point in how the United States views biometric data governance in the age of artificial intelligence.

“As this committee recognizes, the collection, storage, and analyses of sensitive genetic information and, and its disclosure, can pose a range of national security concerns and risks,” Hu told lawmakers, noting that “the bankruptcy proceedings of 23andMe demonstrates why these matters are so consequential, especially in the Age of Artificial Intelligence and the future of AI warfare.”

Hu, who previously was a Department of Justice Civil Rights Division attorney, argued that America’s lack of comprehensive federal data privacy legislation leaves open dangerous gaps that adversaries could exploit. The risk, she said, is not merely theoretical.

Following a 2023 data breach that exposed the personal profiles of nearly seven million 23andMe users, including many of Jewish and Chinese descent, concerns about the vulnerability of genetic data intensified. Although the breach stemmed from credential stuffing rather than a systemic failure within 23andMe’s own infrastructure, it laid bare the reality that no database, no matter how carefully managed, is impenetrable.

“The topic of genetic data privacy, unfolding within the context of the bankruptcy proceedings of 23andMe, is simultaneously unfolding within the context of a larger crisis: inadequate federal data privacy and cybersecurity safeguards generally, and inadequate federal laws to address the challenges of the AI revolution,” Hu said. “The 23andMe bankruptcy filing is a wakeup call that our current legal inadequacy amounts to instability in our national security.”

Hu urged Congress to act decisively to establish legal frameworks that mirror those governing aviation, energy, and telecommunications. She suggested that a new federal regulatory body could be tasked with overseeing the commercial use of genetic data, evaluating cross-border data transfers, and managing national security risks posed by biometric information. In her view, the absence of such oversight represents a critical weakness in the nation’s digital defense infrastructure.

Beyond the policy and legal dimensions, the hearing also delved into the broader ethical questions surrounding the commercialization of genetic data. Wojcicki and Selsavage both argued that 23andMe has maintained a customer-centric model that places individual consent at the core of its operations. Customers opt-in to research participation, retain the ability to delete their data, and all personally identifiable information is segregated from genomic records.

Still, several committee members questioned whether these promises would remain binding under new ownership, particularly in the absence of enforceable federal statutes. As one lawmaker noted, what begins as a noble model for personalized health could quickly evolve into a data goldmine exploited for pharmaceutical development, insurance underwriting, or even geopolitical leverage.

The hearing also surfaced fears of a new kind of arms race – one not fought with missiles or tanks, but with gene sequencing machines and biometric profiling algorithms. China’s aggressive investment in genomic infrastructure, including its National DNA Database and the global reach of the Beijing Genome Institute, has raised alarms across the U.S. intelligence and policy communities.

Wojcicki affirmed that 23andMe has never conducted research in China or partnered with Chinese companies, but her acknowledgment of the CCP’s ambition to dominate the field of biotechnology by 2035 added weight to lawmakers’ concerns. For some, the most chilling possibility raised during the hearing was not misuse by private companies, but state-level weaponization of genetic information. Biometric data, especially DNA, can be used for advanced surveillance, targeted oppression, and even next-generation biological warfare.

The Pentagon has warned service members against using consumer DNA kits, citing concerns about operational security and the ability of adversaries to track or blackmail individuals based on genetic markers. Biometric Update previously reported that DNA “bio-forensic” data is being used by the FBI and other law enforcement and intelligence agencies to determine whether a person’s DNA can be used to identify unidentified subjects of interest by analyzing their or known familial DNA against a database of known and unknown persons’ DNA.

With 23andMe’s data now effectively up for sale, the possibility that such information could be misappropriated – legally or illegally – adds a disturbing layer of complexity to the ongoing debate. In the absence of legislative safeguards, companies like 23andMe operate in a largely unregulated space, even as they wield enormous influence over individual lives and the broader healthcare landscape. The current legal vacuum, combined with the heightened stakes of a bankruptcy sale, has catalyzed bipartisan agreement in Congress.

Lawmakers from both parties have expressed support for new statutory frameworks to regulate the commercial use of genetic data, restrict foreign investment in DNA-centric platforms, and to expand the jurisdiction of regulatory bodies to oversee consumer genomics.

Updated 06-12-2025 with comment from WuXi AppTec.

Article Topics

23andMe  |  biometric data  |  biometric identifiers  |  dna  |  genetic database  |  U.S. Government