MyHeritage uses encryption and has strong privacy policies on paper, but like any company that stores sensitive genetic and personal data, it carries real risks worth understanding. The company experienced a data breach in 2018 that exposed over 92 million accounts, and the broader legal landscape for protecting consumer DNA data remains thin. Here’s what you need to know to make an informed decision.
The 2018 Data Breach
In 2018, MyHeritage suffered a breach that exposed email addresses and passwords from over 92 million customer accounts. The silver lining: no financial information, DNA results, or genealogy data was compromised in that incident. The breach was limited to login credentials, and the company disclosed it publicly.
Still, 92 million accounts is a massive number, and the breach revealed that even a company handling genetic data isn’t immune to security failures. If you’ve had an account since before 2018 and never changed your password afterward, that’s worth doing now.
What MyHeritage Says About Your Data
MyHeritage’s privacy policy makes several explicit promises. The company states in capitalized text that your personal information, including genetic and health information, will never be sold or licensed to third parties, including insurance companies, government agencies, corporations, or employers. DNA data is stored on secure servers with multiple layers of encryption, though the company doesn’t publicly specify which encryption standards it uses.
On law enforcement, MyHeritage’s terms are relatively strong compared to some competitors. The company prohibits any use of its DNA services for law enforcement purposes, forensic investigations, cold case work, or identification of deceased individuals unless a valid court order is obtained. Their stated policy is to resist law enforcement inquiries to protect customer privacy. They will only hand over data when compelled by a court order or subpoena.
What the Law Actually Protects
The legal protections surrounding your genetic data are weaker than most people assume. The Genetic Information Nondiscrimination Act (GINA) prevents employers and health insurers from using your genetic information against you, but that’s essentially where federal protection ends. GINA doesn’t cover life insurance, disability insurance, or long-term care insurance. And it says nothing about what private companies like MyHeritage can do with your data.
As the Columbia Undergraduate Law Review noted, there is no federal legislation that specifically protects private citizens using consumer genetic testing services. A few states have stepped in with their own rules (Texas, for example, establishes property rights over residents’ genetic samples and data), but most Americans have limited legal recourse if something goes wrong.
This gap matters because company policies can change. Many consumer genetic testing companies classify genetic data as a business asset, meaning it could be transferred during mergers, acquisitions, or bankruptcy. Even if MyHeritage’s current policy prohibits selling your data, a future owner might operate under different terms. The 23andMe financial struggles in recent years highlighted exactly this scenario for the industry, raising questions about what happens to millions of DNA profiles when a company faces financial pressure.
How to Protect Your Account
MyHeritage offers two-factor authentication, which adds a second verification step when you log in. You can set it up using an authenticator app like Google Authenticator (the recommended option) or receive a six-digit code via email. Enabling two-factor authentication is one of the most effective things you can do to prevent unauthorized access to your account, especially if you reuse passwords across sites.
Beyond that, use a unique, strong password for your MyHeritage account. Given the 2018 breach involved login credentials, treating this account with the same caution you’d give your bank login is reasonable.
You Can Delete Your Data
MyHeritage allows you to request deletion of your account and associated data. If you’ve submitted a DNA sample and later decide you’re uncomfortable with the company holding that information, you can request that your genetic data be removed. This is worth knowing before you test, not just after: once you understand you have an exit option, the decision to submit a sample feels less permanent.
That said, deletion requests rely on the company following through, and you have no practical way to verify that every copy of your data has been purged from every backup server. This is true of virtually every online service, but it carries extra weight when the data in question is your genome.
The Bigger Picture for DNA Testing
The risks with MyHeritage aren’t unique to MyHeritage. Every consumer DNA testing company operates in the same regulatory gap: strong-sounding privacy policies layered on top of weak legal protections. Current regulations allow companies to assert broad proprietary rights over genetic data and testing algorithms, leaving individuals with limited control.
What makes genetic data different from, say, a leaked credit card number is that you can’t change it. A compromised password gets reset in two minutes. Your DNA is permanent, and it doesn’t just identify you. It reveals information about your biological relatives who never consented to testing. That permanence is the core reason this question matters more than “is my email provider safe.”
If you decide the benefits of MyHeritage’s genealogy and DNA tools are worth the tradeoffs, enable two-factor authentication, use a unique password, and keep an eye on any policy changes the company announces. If the risks feel too high, you can request deletion of existing data or simply choose not to submit a DNA sample in the first place, while still using the platform’s non-DNA genealogy features.