Pharmaceutical giant Regeneron has announced plans to acquire 23andMe’s assets, including its vast trove of personal and genetic data from over 15 million customers, for $256 million.
The acquisition follows 23andMe’s Chapter 11 bankruptcy filing earlier this year and is expected to close in Q3 2025, pending regulatory and court approvals.
The asset purchase agreement includes 23andMe’s Personal Genome Service (PGS), Total Health, Research Services, and its proprietary Biobank, which collectively represent one of the largest privately held genetic datasets in the world. The deal excludes 23andMe’s Lemonaid Health business. According to the announcement, Regeneron will continue operating the consumer genomics platform as a wholly owned subsidiary, vowing to maintain uninterrupted services and uphold existing customer privacy policies.
23andMe, once a trailblazer in direct-to-consumer genetic testing, has faced increasing financial and reputational headwinds since a high-profile data breach in October 2023 exposed sensitive information from nearly 7 million users. Compromised data included genetic profiles shared via the “DNA Relatives” feature, a breach that prompted investigations by regulators in the U.S. and the U.K., and further eroded consumer trust. The breach played a significant role in the company’s downfall, culminating in the resignation of founder and CEO Anne Wojcicki and a federal bankruptcy court overseeing its asset sale.
Regeneron, headquartered in Tarrytown, New York, is a publicly traded biotech firm known for its genetics-driven approach to drug discovery. Through its Regeneron Genetics Center (RGC), the company has already sequenced genetic data from nearly 3 million research participants and established large-scale collaborations with hospitals and research institutions. With the acquisition of 23andMe’s Biobank, Regeneron will more than quintuple its access to de-identified genomic data, positioning it to significantly accelerate drug development pipelines. However, this transition raises pressing concerns around privacy, data governance, and consent.
Regeneron has pledged to respect existing user consents and comply with privacy regulations, including oversight from a court-appointed Customer Privacy Ombudsman. Still, it is important to remember that the line between deidentified and re-identifiable data is increasingly porous, particularly with genetic information that is inherently unique and immutable.
Customers who once submitted saliva samples for ancestry reports or health insights now find their data at the center of a corporate acquisition, with limited recourse for revoking prior consents. Under California’s Genetic Information Privacy Act (GIPA) and Consumer Privacy Act (CCPA), residents can request deletion of their genetic data, yet many remain unaware of this option or skeptical of its enforcement.
Regeneron has not previously faced any regulatory penalties or public controversies related to data privacy breaches. The firm maintains a relatively clean record in that domain, which may help reassure regulators and consumers. However, the sheer scale of the dataset now under its control, coupled with the opaque nature of commercial genetic research, has renewed calls for stronger federal protections for genomic data.
Ultimately, consumer genetic data in the U.S. is not covered by HIPAA unless handled by a healthcare provider, and its regulation varies state by state. This patchwork legal landscape places a heavy burden on individuals to manage their data privacy.
Customers concerned about the future use of their genetic data should act promptly and perform the following actions:
- Delete your genetic data through your 23andMe account under Settings → 23andMe Data → Delete Data.
- Withdraw research consent by modifying your preferences under Research and Product Consents.
- Request destruction of DNA samples by navigating to Settings → Preferences to revoke storage permissions.
Leave a Reply