The firm slated to acquire genetics testing business 23andMe has moved quickly to reassure customers and regulators about its data security and privacy credentials.
Regeneron Pharmaceuticals said in a press release yesterday that it would acquire 23andMe’s Personal Genome Service (PGS), Total Health and Research Services business lines, alongside its Biobank and associated assets, for $256m. Subject to bankruptcy court and regulatory approvals, the deal is expected to close in the third quarter.
The firm said it “intends to ensure compliance” with 23andMe’s consumer privacy policies and any “applicable laws” regarding the handling of customer data. It added that it would outline its proposed use of customer data, as well as the privacy programs and security controls it plans to put in place, for review by an independent Customer Privacy Ombudsman and other interested parties.
The appointment of that ombudsman was ordered by a bankruptcy judge in April – a move welcomed by privacy regulators the UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC).
As the customer genetic data that 23andMe holds is classed as “special category” data, it is considered highly sensitive and subject to stricter rules under the GDPR and its Canadian equivalent (PIPEDA).
In the US, there is no uniform federal privacy law, but instead various applicable state laws. Health data security law HIPAA doesn’t cover direct-to-consumer companies like 23andMe.
“As a world leader in human genetics, Regeneron Genetics Center is committed to and has a proven track record of safeguarding the genetic data of people across the globe, and, with their consent, using this data to pursue discoveries that benefit science and society,” said Aris Baras, SVP and head of the Regeneron Genetics Center.
“We assure 23andMe customers that we are committed to protecting the 23andMe dataset with our high standards of data privacy, security and ethical oversight and will advance its full potential to improve human health.”
Going Above and Beyond
The UK and Canadian data protection regulators penned a joint letter earlier this month calling for the continued protection of 23andMe customers’ data, and warning that they “will take action” if this doesn’t happen.
Any new data protection controls deployed by Regeneron would probably need to offer extra security assurances to regulators, given the major breach that occurred at 23andMe in 2023 in which data on nearly seven million individuals was compromised.
Hackers originally gained access to a small number of user accounts via previously compromised credentials, because these accounts were not protected by multi-factor authentication (MFA). However, they were subsequently able to scrape data from additional users who had registered with the DNA Relatives feature via opt-in.
23andMe was criticized at the time for trying to blame customers for the incident.