At-home DNA test risks are harder to escape than the friendly packaging suggests, a detailed review of 10 direct-to-consumer testing companies and consultations with 12 experts in bioethics, genetics, law, and cybersecurity has found.
HIPAA May Not Cover Your Data
The first assumption most consumers make is that a company handling health-related data is bound by HIPAA, the Health Insurance Portability and Accountability Act of 1996. That assumption is often wrong.
Anya Prince, the David H. Vernon professor in law at the University of Iowa College of Law, told ZDNET the central question is whether a company qualifies as a covered entity. ‘DTC labs may not count as covered entities,’ Prince said. ‘The health information they have… would be governed by a company’s privacy policy rather than considered PHI.’
Julian Gage, founder of Engage Compliance and an outsourced data protection officer for direct-to-consumer health and genetic testing companies, told ZDNET that claims such as ‘HIPAA-grade security’ and ‘HIPAA-compliant’ are marketing language, ‘not protection.’ When a testing company routes an order through a physician or telehealth network, the clinician may be a covered entity, but that does not extend the protection to the testing company or the full consumer transaction. ‘You can end up with one thin layer protected and the rest living under the terms you tapped through at checkout,’ Gage said.
At-Home DNA Test Risks Around Genetics and Insurance
Genetic data carries consequences that outlast any privacy policy. Unlike a password, it cannot be changed, and it reveals information about relatives who never consented to a test.
The Genetic Information Nondiscrimination Act (GINA), enacted in 2008, prohibits health insurers from using an individual’s genetic information to determine eligibility, cost, or coverage. However, as the American Society of Human Genetics makes clear, GINA’s protections stop at health insurance. The Congressional Research Service confirms that GINA explicitly excludes life insurance, long-term care insurance, short-term disability insurance, and long-term disability insurance.
Prince, who also studies genetic discrimination, told ZDNET that a person ‘could be denied these insurances or charged a higher premium’ based on test results. Laura Hercher, director of student research in the Human Genetics Graduate Program at Sarah Lawrence College, said it is far from clear whether life or long-term-care insurers will begin screening out higher-risk customers based on genetic test history, but in most US states, she said, ‘they could.’
De-identified data offers less protection than many consumers assume. Gage told ZDNET that ‘once data is de-identified to the legal standard, it drops out of most privacy rules entirely, and the company can use, share, or sell it without asking you again.’ A 2013 Wired report showed how researchers could use publicly accessible information, including genealogy databases, to re-identify participants in a large genomic study.
23andMe’s Bankruptcy Puts 15 Million Profiles in Play
The abstract risk of data misuse became concrete in April 2025. On 16 April 2025, 25 US states filed a motion in the United States Bankruptcy Court for the Eastern District of Missouri to halt 23andMe’s proposed sale of the genetic and personal data of 15 million people, according to the Cyber Security Law Report. The states requested the appointment of two independent examiners to recommend further privacy and security protections. Alaska argued separately that its state law requires 23andMe to seek fresh customer consent before transferring personal data to any winning bidder.
On account deletion, 23andMe’s official privacy statement says the company will automatically opt a user out of research and discard their sample when an account is deleted, though users can choose to have their sample stored. What happens to that data during a bankruptcy transfer remains contested.
FDA Review Is Narrow, Not Universal
Across the 10 companies reviewed, FDA language appeared sparingly and was almost always tied to a specific test rather than the whole service. LetsGetChecked obtained FDA marketing authorisation for its Simple 2 Test, which the FDA confirmed was granted through the De Novo premarket review pathway, making it the first diagnostic test for chlamydia and gonorrhea with at-home sample collection to receive FDA marketing authorisation, and the first FDA-authorised at-home collection test for any sexually transmitted disease other than HIV. The FDA noted that chlamydia and gonorrhea are the two most common bacterial sexually transmitted infections in the United States, with an estimated 1.6 million chlamydia cases and more than 700,000 gonorrhea cases recorded in 2021 alone.
That authorisation covers one specific test. It does not extend to LetsGetChecked’s wider catalogue or to any other company.
CLIA certification and CAP accreditation, cited by almost every company reviewed, are laboratory quality standards, not endorsements of clinical accuracy or interpretive quality. Dr Robert Green, a professor of medicine in genetics at Harvard Medical School, told ZDNET that ‘CLIA certification doesn’t say much about quality of interpretation,’ and that some companies may rely on automated interpretation systems that ‘miss tons of important’ conditions.
What to Check Before You Order
Reading the privacy policy before purchasing matters more than checking the box of the kit. Gage advised searching specifically for the words ‘third parties,’ ‘partners,’ ‘sell,’ ‘retention,’ ‘deletion,’ ‘sample destruction,’ ‘acquisition,’ and ‘bankruptcy.’ ‘If those parts read as vague,’ he said, ‘the vagueness is your answer.’
Beyond privacy, check whether any FDA authorisation applies to the specific test being purchased or only to one report within it, whether the lab is CLIA-certified or CAP-accredited, and whether a qualified clinician (not just an automated system) will interpret the result.
The follow-up question is what happens if a result is abnormal. Some companies offer clinical callbacks; others describe themselves as wellness-only services not designed to diagnose or treat any condition. Professor Arthur L. Caplan, a bioethicist at NYU Grossman School of Medicine, told ZDNET: ‘What’s often sold is, “take control of your health, be in charge.” You can’t, because you’re going to get information back that you need a master’s degree to understand.’
The 23andMe bankruptcy case is now the clearest test of whether the data protections written into privacy policies survive corporate failure. Its outcome is likely to set the terms for the rest of the industry.