(Radio Iowa) – A University of Iowa legal scholar who’s an expert on genetic privacy says the thousands of Iowans who used the genetic testing company 23andMe may have dodged a bullet with its recent bankruptcy, but she fears repeats with similar companies.

UI law professor Anya Prince says the genetic data of some 15-million customers nationwide appears to have emerged from the company’s financial challenges with all security measures intact.

“What happened in the bankruptcy proceeding is that the winning bidder for the data and the company was a company called TTAM, which actually stands for 23andMe,” Prince says. “It’s a nonprofit entity owned by the original co-founder of 23andMe, and that company has promised to keep the same services, keep the same employees.”

Prof. Anya Prince (UI photo)

If it had fallen into the wrong corporate hands, Prince says that genetic data could have been used in ways customers of 23andMe never intended.

“There could be worry about that being misused by life insurance companies or other insurance companies, or use by law enforcement — which some people are uncomfortable with, or purchased by a foreign nation,” Prince says. “There could be a range of options that really our laws don’t protect against fully.”

The company’s at-home test kits are easy to use and the reports sent back to customers based on their DNA often provide information about their ancestry and family members. Still, depending on the test, those genetic markers may also reveal predispositions to diseases, which could mean higher premiums, should an insurance company access the data. Also, law enforcement might be able to access your genetic data without a warrant, which could have all sorts of implications.

Prince has co-authored a paper saying the 23andMe bankruptcy and sale exposed critical gaps in consumer privacy protections, and she says new privacy laws are needed, either at the state or federal level, to safeguard genetic data.

“When people give their private data, including genetic information, to companies like this, they really are trusting them to be good stewards of their data,” Prince says, “but right now, our laws don’t require them to be good stewards of the data. It just requires them to tell people what’s going to happen in the privacy policies that we know nobody reads anyway.”

Prince and a colleague have launched a website that tracks genetic privacy laws across the U.S. She recommends it for anyone who’s already given out their genetic data, or who might be considering it.

“We meant it to be available for everyone and readable by everyone,” Prince says. “There’s lots of maps so you can click through, and we really hope that it’s accessible, and we did not put it in the legalese that everybody gets so annoyed with their lawyers for speaking in.”

Prince says the U.S. lacks a comprehensive federal privacy framework for genetic data protection and the country’s health privacy law (HIPAA) does not apply to direct-to-consumer DNA testing companies.