This week, it was announced that Regeneron will acquire 23andMe for $256 million. While headlines highlight the financials, there's a deeper concern many seem to be ignoring: What happens to the genetic data of over 15 million people?

At Sekurno, we’ve worked with security teams across genomics, biotech, and healthtech. Based on our analysis of Regeneron's historical security posture—and what we know about post-acquisition risk—we believe the public deserves more transparency and caution than it’s getting.

1. Why Regeneron Wants 23andMe

Let’s be honest: this deal is about data. The crown jewel is the massive genetic dataset—one of the largest of its kind globally. For a company like Regeneron, that kind of information fuels drug discovery, biomarker development, and precision medicine.

But what about the rest of 23andMe?

• The DTC test kits

• The mobile app

• The infrastructure and infosec stack

• The engineering and security teams

  
  

Will those parts be truly valued and maintained?

Or are they simply along for the ride—kept for appearances while the real prize is the genetic data?

And if Regeneron replaces or dismantles 23andMe’s systems and teams without preserving their knowledge, tooling, and practices, what happens to the integrity of that data?

Because when you transfer sensitive infrastructure without keeping continuity—without the people, processes, and protections that built it—you create immediate risks:

from undocumented security workflows to misconfigured access controls.

Thus, the very objective serves as an input for the next point.

2. The Risk of Security Degradation in M&A

M&A transitions are rarely seamless. In the first 6–12 months, companies consolidate vendors, lay off overlapping staff, and merge systems and policies.

That’s when security gaps form—often quietly and invisibly.

In this case, Regeneron’s strategic interest appears to lie squarely in 23andMe’s dataset—its most valuable asset by far. That focus could shape how the company approaches operational and budget decisions post-acquisition, particularly around areas that don’t directly support data extraction or monetization.

Security vendors, engineering staff, and internal security operations—while essential—may be viewed as overhead rather than differentiators.

And that’s where the risk grows.

According to Reuters, Regeneron has pledged to uphold 23andMe’s privacy policies and to collaborate with a court-appointed independent privacy overseer:

That’s a good start. But it doesn’t go far enough. Privacy policies are not security architectures. Compliance does not equal protection.

And a legal overseer—no matter how diligent—can’t audit undocumented workflows, tacit knowledge, or the security muscle memory that leaves when engineers walk out the door.

So the questions are:

• Will Regeneron retain 23andMe’s security and engineering teams?

• Will they preserve mature detection tooling—or replace it with more “standardized” cost-efficient alternatives?

• Will any of this affect how DNA data is stored, encrypted, and accessed going forward?

We don’t know. But history shows that these risks are not theoretical—they’re structural.

3. Regeneron’s Track Record: Cause for Concern

In 2024, Regeneron was among 27 pharmaceutical companies affected by a significant data breach through its vendor, Cencora. The incident exposed over 100,000 medical records, including sensitive information such as patient names, diagnoses, and prescription histories.

This wasn’t a one-off failure.

It was an industry-wide event—impacting giants like Genentech, Bayer, AbbVie, and Novartis—revealing just how vulnerable even the most tightly regulated organizations can be.

If 27 pharma companies—each with compliance programs, audits, and certifications—were breached through a single vendor, it underscores a painful truth:

Vendor risk management cannot stop at questionnaires or point-in-time audits.

It requires ongoing validation, shared accountability, and a culture that treats security as operational hygiene, not a formality.

And yet, after one of the most extensive vendor-related breaches in pharma history, no technical post-mortem has been shared. No lessons learned. No cross-industry transparency.

Regeneron and others filed breach notifications with regulators—and then went silent.

This isn’t just another health data set. It’s immutable, deeply personal, and inherited. The stakes are exponentially higher.

So the questions are:

• How will Regeneron’s compliance and vendor management evolve to reflect this new level of sensitivity?

• Will their approach to transparency change—especially toward the people whose DNA they now control?

Because lack of transparency in security incidents isn’t just a PR issue. It’s a sign of missing ownership. And when it comes to genetic data, that’s not acceptable. We need better, especially when our DNA is involved.

Conclusion: We Need Answers Before the Integration Begins

We understand the scientific value of this acquisition, but data ownership, access controls, and post-acquisition risk management must be addressed upfront.

The public deserves clarity:

• Will 23andMe’s security and engineering teams be retained?

• How will access to genetic data be managed, encrypted, and monitored during the transition?

• How will Regeneron enforce individuals’ rights to delete their personal data or opt out of data usage under the new ownership structure?

• What strategic direction does Regeneron envision for the web platform and mobile applications, and how does it plan to restructure 23andMe’s operations, given that the primary interest behind the acquisition appears to be access to DNA data?

• Will the DNA dataset be siloed or integrated into Regeneron systems—and what safeguards will be in place?
  

If Regeneron stays silent, the cost won’t just be public trust — it will be the genetic privacy of millions. In biotech, where data is personal, predictive, and permanent, silence after a breach isn’t just a PR decision. It’s a security risk.

These are the exact moments — mergers, acquisitions, expansions — when security questions get overlooked. Until they can’t be. That’s why Sekurno focuses on securing high-risk environments before, during, and after change.

Sekurno’s Take

Privacy and security in biotech can’t be retrofitted. They must be designed into the architecture from day one — scalable, compliant, and resilient through every stage of growth.

In 2025, Sekurno was recognized as the #1 Global Cybersecurity Company and leader in Penetration Testing and Cloud Security Services — all based on verified reviews from clients across biotech, diagnostics, AI, and other high-risk and regulated industries.

Don’t Wait For a Breach to Test Your Defences

Book a biotech-ready security assessment by submitting a request or booking a call