Washington, D.C. — Below is an opening statement, as prepared for delivery, from U.S. Representative Stephen F. Lynch, Acting Ranking Member of the Committee on Oversight and Government Reform.  The remarks were delivered at today’s Full Oversight and Government Reform Committee hearing on the bankruptcy filing of genetic testing company 23andMe, and its implications on the privacy of Americans’ sensitive data.

Click here to watch the video. 

"Thank you, Chairman Comer, for calling this hearing to examine the serious issue of how we can protect Americans’ sensitive, personal data from hostile actors. 

23andMe holds the genetic and biographical data of 15 million customers.  This includes billions of phenotypic data points that make up DNA profiles, detailed genealogical and ancestry history, and health predispositions. 

While health care providers and insurance companies must follow federal laws like the Health Insurance Portability and Accountability Act, or HIPPA—which protect their sensitive data from unauthorized sharing—direct-to-consumer companies like 23andMe operate with minimal oversight and regulation. 

The lengthy, opaque terms of service and privacy policies that customers are required to agree to typically allow for their data to be sold during a sale or bankruptcy, and that is precisely the situation that millions of the company’s customers find themselves in today.

Americans deserve to know what the sale of 23andMe will mean for the sensitive genetic data it holds.  But Chairman Comer demanded this hearing take place today, in the midst of the bankruptcy bidding process, when their witnesses are legally prohibited from speaking to any details related to the bankruptcy and sale.  We will do our best to get answers despite this challenge.

Our concerns are magnified by the fact that hostile actors, including foreign adversaries, are constantly attempting to buy or steal Americans’ sensitive data.  In 2023, 23andMe was the target of a massive breach in which an outside attacker stole the data of seven million customers, reportedly targeting those with Ashkenazi Jewish heritage. 

The governments of the People’s Republic of China, the Russian Federation, North Korea, and Iran conduct persistent cyberattacks against the United States.  China’s President Xi Jinping has made clear that dominating the AI race and achieving global supremacy in biotechnology are critical to future geopolitical power, and obtaining vast troves of Americans’ sensitive data is a key component of his strategy. 

Failing to safeguard Americans’ data from these hostile actors would not only be a critical violation of privacy but also a national security catastrophe. 

Given the sensitive nature of the data that companies like 23andMe hold, the possibility for that data to end up in entirely new hands in the event of sale or bankruptcy, and the risk of data breaches, including by hostile foreign governments, we cannot rely solely on corporate efforts to ensure this data is protected. 

We need strong privacy protections and comprehensive laws and regulations that address the evolving landscape.  That is where the federal government comes in.

But instead of a strong federal government that makes every effort to protect Americans’ sensitive data, the Trump Administration and DOGE are dismantling our IT and cybersecurity workforce and replacing hardworking civil servants with unqualified hacks. 

Just last week, President Trump installed a 22-year-old with no national security expertise to oversee a Department of Homeland Security hub for terrorism prevention. 

The Administration has spent the past five months weakening our leading cybersecurity and consumer protection agencies and purging the federal watchdogs who ensure government works for the people’s interests. 

I condemn these efforts, and if Committee Republicans were serious about this hearing, they would too.

If we are concerned about the security and privacy of Americans’ sensitive data, we need a hearing examining the myriad ways that DOGE is violating cybersecurity and privacy laws and making our personal information easier to steal or use against us. 

We need a hearing on how and why DOGE installed a server of unknown nature and origin at the Office of Personnel Management—or the specialized computers that DOGE engineers are reportedly creating to merge Americans’ data across agencies—with blatant disregard for federal laws that ensure Americans know when their data is being accessed and by whom.

We need a hearing on the ways that DOGE has exposed critical federal systems to hostile foreign actors, and on the massive cuts to personnel that DOGE has made across the government—including at critical agencies like the Social Security Administration, which houses every American’s social security number. 

Last week, Republicans on this committee voted again to shield Elon Musk from accountability for the destruction and danger he has wrought on Americans—quite possibly under the influence of hard drugs.  But this is the Oversight Committee, and the American people deserve answers.

We have weak privacy laws, persistent threats from foreign adversaries and Trump’s own estranged top advisor, and a president who is, both intentionally and through incompetence, crippling the federal government’s cybersecurity defenses, privacy safeguards, and oversight capabilities. 

This perfect storm leaves Americans’ sensitive data vulnerable to breaches, exploitation, and surveillance.  Americans—not private companies, hackers, or Elon Musk and DOGE—deserve to own their data and make the decision about how, where, and if their sensitive information is used.

I hope my Republican colleagues will join us in taking a comprehensive approach to securing Americans’ private data, because while it appears Americans can opt to delete their data from 23andMe, there are no options to delete their data from DOGE."