This week, it was announced that Regeneron will acquire 23andMe for $256 million. While headlines highlight the financials, there's a deeper concern many seem to be ignoring: What happens to the genetic data of over 15 million people?

At Sekurno, we’ve worked with security teams across genomics, biotech, and healthtech. Based on our analysis of Regeneron's historical security posture—and what we know about post-acquisition risk—we believe the public deserves more transparency and caution than it’s getting.

1. Why Regeneron Wants 23andMe

Let’s be honest: this deal is about data. The crown jewel is the massive genetic dataset—one of the largest of its kind globally. For a company like Regeneron, that kind of information fuels drug discovery, biomarker development, and precision medicine.

But what about the rest of 23andMe?

• The DTC test kits

• The mobile app

• The infrastructure and infosec stack

• The engineering and security teams

  
  

Will those parts be truly valued and maintained?

Or are they simply along for the ride—kept for appearances while the real prize is the genetic data?

And if Regeneron replaces or dismantles 23andMe’s systems and teams without preserving their knowledge, tooling, and practices, what happens to the integrity of that data?

Because when you transfer sensitive infrastructure without keeping continuity—without the people, processes, and protections that built it—you create immediate risks:

from undocumented security workflows to misconfigured access controls.

Thus, the very objective serves as an input for the next point.

2. The Risk of Security Degradation in M&A

M&A transitions are rarely seamless. In the first 6–12 months, companies consolidate vendors, lay off overlapping staff, and merge systems and policies.

That’s when security gaps form—often quietly and invisibly.

In this case, Regeneron’s strategic interest appears to lie squarely in 23andMe’s dataset—its most valuable asset by far. That focus could shape how the company approaches operational and budget decisions post-acquisition, particularly around areas that don’t directly support data extraction or monetization.

Security vendors, engineering staff, and internal security operations—while essential—may be viewed as overhead rather than differentiators.

And that’s where the risk grows.

According to Reuters, Regeneron has pledged to uphold 23andMe’s privacy policies and to collaborate with a court-appointed independent privacy overseer:

That’s a good start. But it doesn’t go far enough. Privacy policies are not security architectures. Compliance does not equal protection.

And a legal overseer—no matter how diligent—can’t audit undocumented workflows, tacit knowledge, or the security muscle memory that leaves when engineers walk out the door.

So the questions are:

• Will Regeneron retain 23andMe’s security and engineering teams?

• Will they preserve mature detection tooling—or replace it with more “standardized” cost-efficient alternatives?

• Will any of this affect how DNA data is stored, encrypted, and accessed going forward?

We don’t know. But history shows that these risks are not theoretical—they’re structural.

3. Regeneron’s Track Record: Cause for Concern

In 2024, Regeneron was among 27 pharmaceutical companies affected by a significant data breach through its vendor, Cencora. The incident exposed over 100,000 medical records, including sensitive information such as patient names, diagnoses, and prescription histories.

This wasn’t a one-off failure.

It was an industry-wide event—impacting giants like Genentech, Bayer, AbbVie, and Novartis—revealing just how vulnerable even the most tightly regulated organizations can be.

If 27 pharma companies—each with compliance programs, audits, and certifications—were breached through a single vendor, it underscores a painful truth:

Vendor risk management cannot stop at questionnaires or point-in-time audits.

It requires ongoing validation, shared accountability, and a culture that treats security as operational hygiene, not a formality.

And yet, after one of the most extensive vendor-related breaches in pharma history, no technical post-mortem has been shared. No lessons learned. No cross-industry transparency.

Regeneron and others filed breach notifications with regulators—and then went silent.

This isn’t just another health data set. It’s immutable, deeply personal, and inherited. The stakes are exponentially higher.

So the questions are:

• How will Regeneron’s compliance and vendor management evolve to reflect this new level of sensitivity?

• Will their approach to transparency change—especially toward the people whose DNA they now control?

Because lack of transparency in security incidents isn’t just a PR issue. It’s a sign of missing ownership. And when it comes to genetic data, that’s not acceptable. We need better, especially when our DNA is involved.

Conclusion: We Need Answers Before the Integration Begins

We understand the scientific value of this acquisition, but data ownership, access controls, and post-acquisition risk management must be addressed upfront.

The public deserves clarity:

• Will Regeneron retain 23andMe’s security controls and experts?

• Will the DNA dataset be siloed, encrypted, or re-architected?

• Will users have the right to opt out or delete their data under new ownership?

Because if Regeneron stays silent again, we risk losing more than just trust—we risk losing the genetic privacy of millions.

Sekurno’s Take:

Privacy and security in biotech can’t be retrofitted after a breach. They must be built in, even through transitions. Especially then.