When a US bankruptcy court approved 23andMe’s sale to TTAM Research Institute for $305 million in mid-2025, the company had approximately 15 million customers’ DNA profiles sitting in its database. The company had reached a $6 billion valuation at peak in 2021 and raised over $800 million in private funding before going public via SPAC, raising another $592 million. The final sale price is roughly five cents on the dollar. The genetic data that was supposed to be the company’s permanent moat became the reason regulators, state attorneys general, and Congress investigated the deal.

The Business Model Problem

23andMe was built on a defensible thesis: collect genetic data from millions of individuals, then monetise it through pharmaceutical research partnerships and drug development. The $35 kit was not the business. The database was.

The logic held in 2015, when the company launched at scale. But it contained a structural flaw that took a decade to fully surface: the data was collected under a consumer privacy model, not a research participation model. Customers who bought a 23andMe kit were thinking about ancestry results and health risk reports. The idea that their genomic data would become a commercial research asset — licensed to pharmaceutical partners under terms that many customers hadn’t fully internalised — was present in the terms of service but absent from the customer’s mental model of the transaction.

This created a moat that couldn’t be fully monetised. The data existed. The commercial pathway was legally constrained and reputationally sensitive in a way that the company underestimated.

The Breach Accelerant

A 2023 data breach exposed the personal data of 6.9 million users. For most companies, a significant breach triggers a bad quarter and a regulatory fine. For 23andMe, it was existential — because the breach didn’t just expose personal information; it exposed the fundamental proposition that the company’s core asset (your most sensitive biological data) had been held by an organisation whose security had failed at scale.

Customer acquisition collapsed. Revenue, already dependent on one-time kit sales rather than a recurring subscription model, dried up. The company reduced its workforce by approximately 40% in late 2023. By March 2025, it had filed for Chapter 11 protection.

Why the Moat Framework Failed

The postmortem lesson is not “don’t collect sensitive data.” It is that data moats are only as strong as the monetisation pathway’s compatibility with the consent model used to collect the data.

23andMe collected personal genomic data in a consumer context. Monetising it as a pharmaceutical research asset required a level of commercial consent that the company never fully established with the scale of its user base. A coalition of 27 state attorneys general challenged the bankruptcy sale not because they objected to genetic research, but because they objected to the implicit reassignment of data collected under one commercial context to a new owner operating under a different commercial mandate.

This is not a regulation problem. The data collection was legal. The research partnerships were legal. The bankruptcy sale was ultimately approved. The problem was that the company built its enterprise value on an asset whose most valuable use — commercial pharmaceutical research — was the use that the company had the hardest time extracting revenue from under the consent terms it had established with 15 million customers.

The Charaka View

Manthan’s Analytical Council flags data moat arguments in any investment case where the data collection context differs materially from the intended monetisation context. This pattern recurs across consumer health, location data, and behavioural data companies. 23andMe is the most stark example — a company with genuinely unique, unreplicable data assets, no realistic competitor that could assemble 15 million DNA profiles, and still unable to extract commercial value proportionate to its information advantage.

The moat was real. The business model was built on a consent gap that compounded under regulatory and reputational pressure until it became structurally unsolvable.

When evaluating any “data moat” argument: verify that the monetisation pathway is compatible with the consent structure under which the data was collected. If those two things diverge from day one, the moat becomes the liability.


This analysis draws on GenomeWeb’s bankruptcy court approval coverage, HIPAA Journal’s reporting on the data breach and bankruptcy filing, PBS NewsHour’s coverage of state AG objections to the sale, IAPP’s analysis of data protection issues during the bankruptcy proceedings, and ElevenFlo’s financial deep dive on the Chapter 11 filing. Human editorial oversight applied.

This analysis is informational and does not constitute investment advice, a research report, or a recommendation to buy, sell, or hold any security.

Charaka Notes by Manthan Intelligence. Subscribe