The bankruptcy filing of 23andMe, a South San Francisco company that stores the genetic information of at least 15 million customers, has raised substantial concerns about consumer data security.

According to the company’s U.S. privacy statement, if 23andMe is involved in a “bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.”

The statement also noted that the company “may disclose Personal Information about you to our corporate affiliates to help operate our services and our affiliates’ services.”

It’s the possibility of data transfer to parties consumers did not authorize, as outlined in the privacy statement, that lies at the heart of concerns over how that data could be shared.

On Friday, California Attorney General Rob Bonta issued a consumer alert, reminding customers they can delete data submitted to the struggling genetic testing firm. The “trove of sensitive consumer data” amassed by 23andMe is subject to deletion under both the Genetic Information Privacy Act and the California Consumer Protection Act, according to his office.

“California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,” Bonta said in a statement. “Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.”

Beyond the immediate concerns surrounding the data transfer policy, experts warn of the broader risks to genetic data.

“The issue is, if you are susceptible to some health risk — or to some lifestyle risk — then you may want to keep that private,” said Nat Natraj, a data security expert and CEO of Menlo Park-based AccuKnox. “People might choose to do this for a variety of reasons. If (the data) falls into the wrong hands, you could become essentially blackmail material.”

Natraj advised those who request deletion but want to keep their genetic data to store it in a digital “private vault” or other secure platforms.

“You can create a private vault, if with Google Docs, you can secure it with two-factor authentication or store it on your laptop with disk-level encryption,” he said. “If you want to be very, very safe, you can put it in a hardware wallet, such as a Yubikey.”

23andMe, once valued at $6 billion, has faced a turbulent year as it struggled to improve its financial health.

Earlier this year, the company cut 153 Bay Area jobs, including 122 in Sunnyvale and 31 at its headquarters in South San Francisco, representing 27% of its U.S. workforce.

According to a company filing last year, as of March 31, 2024, 23andMe employed 582 people worldwide, including 560 full-time U.S.-based employees.

Following the bankruptcy filing, CEO and founder Anne Wojcicki resigned from leadership but remained on the board.

State Sen. Josh Becker, a Menlo Park Democrat whose district includes South San Francisco, a major biotech hub in the region, said his immediate focus is to ensure “consumer privacy is protected and that no genetic information is improperly accessed as part of the bankruptcy proceeding.”

“We’re trying to publicize, make sure people know about their rights to delete,” Becker said.

The California Privacy Protection Agency is tasked with monitoring compliance with state data privacy laws for those concerned about whether the company is actually deleting data.

Becker, a former Silicon Valley executive, authored California’s “Delete Act” that goes into effect next year and could require data brokers to stop tracking individuals and delete any information collected about them.

“We want consumers to know that it’s your data and you have a right to it and delete your information whether it’s through a genetic information site or whether it’s one of 500 registered data brokers in California,” he said. “While there’s no reason to believe that data from 23andMe is at risk right now, we want people to be conscious of what data these companies have of you and know their rights.”

To delete their 23andMe account and personal information, customers can follow these steps:

—Log in to their 23andMe account on the company’s website.

—Navigate to the “settings” section of their profile.

—Scroll down to the “23andMe data” section at the bottom of the page.

—Click “view” next to “23andMe data.”

—Download their data.

—Scroll to the “delete data” section.

—Click “permanently delete data.”

—Confirm their request; an email from 23andMe will follow, containing a link to finalize the deletion.

On the website, customers can also direct the company to destroy stored saliva samples and DNA, as well as revoke permission for their genetic data to be used for research.

©#YR@ MediaNews Group, Inc. Visit at mercurynews.com. Distributed by Tribune Content Agency, LLC.