Protecting your DNA test results online starts with three fundamental steps: limit what data you share with testing companies in the first place, use strong and unique authentication for your accounts, and regularly review and delete data you no longer need stored. Unlike a password or credit card number, your genetic information cannot be changed if it falls into the wrong hands, making prevention your only real defense. The 2023 breach of 23andMe, which exposed the genetic data of nearly 7 million users through credential stuffing attacks, demonstrated exactly how vulnerable this information can be when basic security practices are ignored.
Beyond these immediate protections, securing your DNA data requires understanding how testing companies store and share your information, what legal protections exist (and where they fall short), and how to make informed decisions about which services to trust. This article covers the specific technical steps you can take to secure your accounts, how to evaluate the privacy policies of genetic testing companies, the limitations of current laws like GINA, and what to do if your data has already been compromised. Whether you have already submitted a DNA sample or are still considering testing, these strategies will help you maintain control over one of your most personal datasets.
Table of Contents
- Why Are DNA Test Results a High-Value Target for Hackers?
- What Security Settings Should You Enable on Your DNA Testing Account?
- How Do Privacy Policies Differ Between Major DNA Testing Companies?
- Should You Download and Delete Your DNA Data from Testing Platforms?
- What Legal Protections Exist for Genetic Privacy?
- How to Respond If Your Genetic Data Has Been Breached
- The Future of Genetic Data Security
- Conclusion
Why Are DNA Test Results a High-Value Target for Hackers?
Your genetic data represents a uniquely attractive target because of its permanence and the breadth of information it contains. Unlike financial credentials that can be reset or even Social Security numbers that can be monitored for fraud, DNA cannot be altered. Once exposed, the damage is irreversible and potentially multigenerational, since your genetic information reveals details about your biological relatives as well. Hackers and data brokers recognize that this creates opportunities for blackmail, insurance fraud, and identity-related schemes that may not even be fully realized yet. The value extends beyond individual exploitation. Genetic databases have become targets for nation-state actors interested in population-level data for bioweapon research or identifying individuals with specific genetic vulnerabilities.
In 2020, U.S. officials warned that foreign adversaries were actively attempting to collect American genetic data, prompting scrutiny of companies with overseas data storage or processing. Corporate espionage represents another threat vector, as pharmaceutical companies and research institutions would pay significant sums for access to large genetic datasets. Compared to medical records, which typically sell for $250 to $1,000 on dark web markets, genetic data can command even higher prices because of its unique characteristics. A stolen credit card number might be useful for weeks before cancellation, but genetic data remains exploitable indefinitely. This economics of permanence makes DNA databases particularly appealing targets for sophisticated attackers willing to invest significant resources in breaching them.
What Security Settings Should You Enable on Your DNA Testing Account?
Every major DNA testing platform offers security features that most users never activate. At minimum, you should enable two-factor authentication, preferably using an authenticator app rather than SMS, which remains vulnerable to SIM-swapping attacks. Both 23andMe and AncestryDNA offer this option, though neither requires it by default. You should also use a password that is completely unique to your genetic testing account and stored in a reputable password manager, since the 23andMe breach specifically exploited users who reused passwords from other compromised sites. Beyond authentication, review your account’s sharing and visibility settings. Most platforms default to opting you into features like DNA relative matching, research participation, and data sharing with third-party partners.
Navigate to your privacy dashboard and disable any sharing you do not explicitly want. On 23andMe, this means visiting Settings, then Privacy Preferences, and individually reviewing options for DNA Relatives, research consent, and personalized advertising. AncestryDNA has similar controls under Account Settings, then Privacy Settings. However, if you have already participated in relative matching or shared your results with family members, restricting your settings now will not recall data that others have already downloaded or screenshots they may have saved. The same limitation applies to research programs: once your anonymized data has been included in a dataset shared with research partners, withdrawing consent typically only prevents future use, not retroactive removal from completed studies. This underscores why reviewing these settings before submitting your sample matters more than adjusting them afterward.
How Do Privacy Policies Differ Between Major DNA Testing Companies?
Not all genetic testing companies handle your data identically, and reading privacy policies carefully reveals significant differences in data retention, sharing practices, and your rights to deletion. 23andMe retains your genetic information indefinitely unless you specifically request deletion, and even then, some data may persist in research datasets or backups. AncestryDNA has similar retention practices but provides somewhat clearer instructions for complete account and data deletion. Smaller companies and direct-to-consumer health testing startups often have less mature security infrastructure and vaguer policies about what happens to your data if the company is acquired or goes bankrupt. When comparing services, pay attention to who can access your raw genetic data. Some companies allow you to download your raw data file, which creates both an opportunity and a risk.
Having your own copy means you are not dependent on the company’s continued existence, but that file becomes another asset you must secure. Other companies restrict raw data access entirely, which limits your portability but also reduces your personal security burden. Companies that share data with pharmaceutical partners or research institutions should disclose this clearly, though the practical implications of “anonymized” data sharing remain murky given how easily genetic data can be re-identified. The 2019 acquisition of DNA testing assets by private equity firms highlighted another risk: privacy policies can change when companies are sold. The promises made by the company you originally trusted may not bind new owners. Look for companies that commit to notifying users before any material changes to data handling practices and that provide opt-out mechanisms with actual teeth, meaning deletion rather than mere cessation of future use.
Should You Download and Delete Your DNA Data from Testing Platforms?
Downloading your raw genetic data and then requesting deletion from the testing company represents the most aggressive privacy-protective approach, but it involves tradeoffs. Once you delete your account, you lose access to ongoing updates as the company refines its ancestry algorithms or adds new health reports. You also lose relative matching capabilities, which may matter if you are using the service for genealogical research or adoptee searches. The decision depends on why you took the test and whether ongoing features outweigh the risk of continued data storage. If you decide to download, treat the resulting file with extreme caution. Store it in an encrypted container on a device you control, not in cloud storage with default settings.
Tools like VeraCrypt can create encrypted volumes that require a password to access. Consider whether you actually need to retain the data at all: if you originally tested out of curiosity and have no ongoing use for the results, deleting both the platform copy and any local files eliminates the risk entirely. The deletion process itself varies by company and is rarely instantaneous. 23andMe warns that deletion may take up to 30 days to complete and that some information may persist in backups or be retained for legal compliance. AncestryDNA has a similar process through their account settings. Request deletion in writing through the company’s official channels and retain confirmation for your records. If you uploaded your data to third-party interpretation sites like GEDmatch or Promethease, you will need to request deletion separately from each service.
What Legal Protections Exist for Genetic Privacy?
The Genetic Information Nondiscrimination Act (GINA), passed in 2008, prohibits health insurers and employers from using genetic information to make coverage or employment decisions. This sounds comprehensive but contains significant gaps. GINA does not apply to life insurance, disability insurance, or long-term care insurance, meaning companies in those sectors can legally request genetic test results and use them to deny coverage or set premiums. Military members face additional limitations, as some branches have policies around genetic testing that differ from civilian protections. State laws provide a patchwork of additional protections. California’s Consumer Privacy Act gives residents broader rights to know what data companies collect and to request deletion.
Florida and several other states have enacted genetic privacy laws with varying scope and enforcement mechanisms. However, enforcement remains weak across all jurisdictions, and most laws were written before the current generation of consumer genetic testing became widespread. The penalties for violations are often insufficient to deter large companies from risky data practices. If you are considering genetic testing and have concerns about insurance implications, understand that taking a test creates a record that may be difficult to fully erase. Even if current laws prevent insurers from accessing your results directly, future legal changes, data breaches, or company acquisitions could alter that calculus. Some genetic counselors advise purchasing life and disability insurance before undergoing testing if you are concerned about these risks, though this approach has obvious practical limitations.
How to Respond If Your Genetic Data Has Been Breached
If you receive notification that your genetic testing account was compromised, act immediately by changing your password and enabling two-factor authentication if you have not already. However, recognize that unlike a credit card breach, there is no way to issue yourself new DNA. The damage control focuses on limiting secondary harms: monitor for phishing attempts that use details from your genetic profile to appear legitimate, and be especially wary of communications claiming to be from relatives or genetic counseling services.
Consider placing a fraud alert or credit freeze with the major bureaus, since genetic breaches often coincide with exposure of other personal information. Document everything related to the breach notification for potential future legal action. Class action lawsuits following genetic data breaches have resulted in settlements, though payouts to individual victims tend to be modest. The 23andMe breach prompted litigation that remains ongoing, and affected users should monitor for communications about settlement opportunities or required claim submissions.
The Future of Genetic Data Security
The regulatory landscape around genetic privacy is evolving, with proposed federal legislation that would extend GINA-style protections to life and disability insurance and impose stricter data security requirements on testing companies. The EU’s General Data Protection Regulation already treats genetic data as a special category requiring explicit consent and heightened protections, creating pressure for global companies to adopt stronger baseline practices. Emerging technologies like homomorphic encryption could eventually allow genetic analysis without exposing raw data, though practical implementation remains years away.
For consumers today, the trajectory suggests both increasing risks and improving protections. Genetic databases will only grow larger and more valuable as targets, but public awareness of the risks is driving both market pressure and regulatory attention. Making informed decisions now, with clear understanding of what you are sharing and with whom, positions you to benefit from genetic testing while minimizing exposure to an evolving threat landscape.
Conclusion
Protecting your DNA test results requires active engagement before, during, and after testing. Choose reputable companies with clear privacy policies, enable all available security features, limit sharing to what you actually need, and consider downloading and deleting your data once you have extracted the value you sought.
Recognize that legal protections remain incomplete and that the permanence of genetic data means breaches have consequences that extend far beyond typical identity theft. The fundamental tension remains: genetic testing offers genuine value for health insights and personal discovery, but that value comes with irreducible risks that cannot be fully mitigated by any technology or policy. Make testing decisions with clear eyes about this tradeoff, implement every available protection, and stay informed as both threats and defenses continue to evolve.