Regeneron Commits to Enhancing Security Measures Following Acquisition of 23andMe

The planned acquisition of the genetic testing company 23andMe by Regeneron Pharmaceuticals has raised significant concerns about the future of data security and customer privacy. In a recent announcement regarding the acquisition, Regeneron emphasized its commitment to prioritizing these crucial aspects.

Regeneron has made the decision to acquire 23andMe’s Personal Genome Service, Total Health, Research Services business lines, along with its Biobank and associated assets, for a transaction valued at $256 million. Pending necessary approvals from bankruptcy courts and regulatory bodies, the acquisition is anticipated to finalize in the third quarter of this year.

In an effort to reassure customers and regulators, Regeneron stated that it “intends to ensure compliance” with 23andMe’s established consumer privacy policies, as well as relevant legal requirements concerning the management of customer data. The company plans to disclose its strategies for utilizing customer data, alongside the privacy measures and security controls it intends to implement. An independent Customer Privacy Ombudsman will review these proposals, a step mandated by a bankruptcy judge in April. This move has been positively received by privacy regulators including the UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC).

Given that the genetic data held by 23andMe is classified as “special category” data, it is subject to stringent regulations under the General Data Protection Regulation (GDPR) and its Canadian counterpart, the Personal Information Protection and Electronic Documents Act (PIPEDA). In the United States, although there is no comprehensive federal privacy law like GDPR, various state laws apply. Notably, HIPAA does not extend protections to direct-to-consumer companies such as 23andMe.

Aris Baras, Senior Vice President and head of the Regeneron Genetics Center, asserted, “As a world leader in human genetics, Regeneron is committed to safeguarding the genetic data of individuals worldwide and, with their consent, using this data to drive scientific discoveries that benefit society.” Baras reassured 23andMe customers of Regeneron’s adherence to high standards in data privacy, security, and ethical oversight, and highlighted the company’s intention to unlock the potential of the genetic dataset to enhance human health.

The joint statement from UK and Canadian data protection regulators earlier this month underscored the importance of maintaining robust protections for the data of 23andMe customers. They indicated readiness to take regulatory action if these protections falter.

Any new data management protocols introduced by Regeneron will be held to a high standard, especially in light of the significant data breach affecting 23andMe in 2023, which compromised the data of nearly seven million individuals. Hackers gained access through previously compromised credentials, and due to a lack of multi-factor authentication on certain accounts, they were able to extract additional data from users who had opted into the DNA Relatives feature.

At the time, 23andMe faced criticism for attributing responsibility for the breach to its customers, a position that raised concerns about transparency and accountability. As the acquisition proceeds, the priority remains clear: Regeneron must establish a framework that not only complies with existing regulations but also rebuilds trust among 23andMe’s customer base.