In a shocking turn of events, genetic testing company 23andMe has admitted to losing the DNA data of a staggering 6.9 million users, significantly higher than its initial report of 14,000 affected users. The breach, which occurred due to a hack, has raised serious concerns about the security and privacy of personal genetic information.

The company's updated terms of service, implemented last week, now prevent users from filing a class action lawsuit against 23andMe. Instead, users are forced into binding arbitration, a means of settling disputes outside of court. This move has sparked criticism and debate among privacy advocates and affected customers alike.

According to a report by Stack Diary on Wednesday, 23andMe specifically prohibits a class action lawsuit unless each individual opts out of the arbitration process. Users who wish to opt out have until December 30th to do so by emailing arbitrationoptout@23andme.com. However, this detail was buried at the bottom of the fifth section in the updated terms of service, making it potentially easy to miss.

Stack Diary further revealed that 23andMe notified its users about the updated terms of service via email on November 30th, around the same time when the company downplayed the impact of the hack, initially stating that only 0.1% of users were affected. However, it seems that those who had opted into 23andMe's DNA Relative feature had their personal information exposed, including their name, birth year, ancestry reports, DNA makeup, family members, and location.

With the implementation of binding arbitration, any disputes between 23andMe and affected users would be presented to an arbitrator, a neutral third party. The decision of the arbitrator would be final and legally enforceable, leaving both parties with no option to appeal in court.

The move to avoid a class action lawsuit by implementing arbitration has significant implications for the 6.9 million users whose data was compromised. In a class action lawsuit, these users would likely not be responsible for any legal fees. However, the arbitration provision divides users and strips away their collective power, taking away their ability to fight as a group. Arbitration is generally considered faster and more discreet than court proceedings, not to mention much cheaper for 23andMe.

While an opt-out option exists, the likelihood of nearly 7 million users sending the opt-out email within the 30-day deadline seems low. If a class action lawsuit does arise, only a smaller portion of the hacked users may be able to participate, further complicating the pursuit of justice for the victims of this data breach.

The incident serves as a stark reminder that even companies entrusted with sensitive genetic information might not be immune to hacking and data breaches. It also raises questions about the balance between user rights and companies' legal protections in the increasingly data-driven world.