[BasilPH]

> As an added security measure, we have temporarily disabled the ability to download your raw genetic data. We hope to re-enable this ability soon, and we appreciate your patience.

After reading this article I decided to download my data in case they go under. Was greeted with this message on the relevant page. Does anybody have some insight if this is related to the data breach or something else?

[ProjectArcturis]

I believe under HIPAA, you have the right to access any of your medical data. If you really want your data, I would get a lawyer to write a nasty letter to them demanding it.

[angry_moose]

So far, genetic testing firms haven't been considered to be covered by HIPAA:

https://lawforbusiness.usc.edu/direct-to-consumer-generic-te...

[astura]

As usual when HIPAA is brought up, you're wrong. HIPAA is the most misunderstood law in America.

Hint, the "I" in HIPAA stands for "insurance." A general rule - if an insurance company isn't involved HIPAA doesn't apply. HIPAA is a law that regulates insurance companies and entities that deal directly with insurance companies, not "medical data."

HIPAA doesn't apply to 23andMe. At all. HIPAA only applies to "covered entities" - https://www.hhs.gov/hipaa/for-professionals/covered-entities...

[kube-system]

> A general rule - if an insurance company isn't involved HIPAA doesn't apply.

Not exactly. If you go to most any healthcare provider, and pay out-of-pocket, HIPAA still applies. More accurately, HIPAA applies to any healthcare providers who transmits any health information in electronic form in connection with a transaction covered by 45 C.F.R. §160.103. Or in other words, basically every healthcare provider is also a covered entity, unless they're completely 100% cash only and don't take insurance for anyone ever. Do these even exist?

Although, still 23andMe wouldn't be covered because they're not providing healthcare services.

[astura]

>basically every healthcare provider is also a covered entity, unless they're completely 100% cash only and don't take insurance for anyone ever.

This is correct - I should have been more specific. If a business doesn't take insurance then HIPAA doesn't apply. Not that insurance isn't involved in a specific transaction. I've edited my GP comment to be more specific.

>Do these even exist?

Yes, absolutely.

https://www.healthline.com/health-news/these-doctors-accept-...

https://www.nytimes.com/2012/11/24/your-money/dealing-with-d...

https://www.fawkeshealth.com/insights/are-cash-only-clinics-...

So-called "pill mills" are almost always cash-only when they operate.

There's also health centers on university campuses that are funded through student fees and don't bill insurance.

[epmatsw]

They've been doing that for months. Scummy behavior tbh. It happened right after the hack, but there's also a new crop of competitors that let you upload your raw 23andMe data, so there's speculation that it's trying to stop the outflow.

If you email them about it, you just basically get a copy-pasta reply restating the message on the site, and if you keep emailing them 3+ times asking for a refund (ask me how I know), they'll tell you you can manually upload identity verification and they'll get back to you in 6-8 weeks with the data.

[BasilPH]

Thanks for letting me know, I'll try that.

My guess is also that they use the hack as an excuse to keep people in.