elevenM’s Melanie Marks, Cassie Findlay and Rahul Prasad discuss the dangers of not including data governance in merger-planning, and set out steps to take to ensure you do.
Structural change in healthcare, whether it’s the merger of public health services or the shutdown of a digital health platform, puts enormous pressure on one critical asset: health data.
And it is not only continuity of care that organisations need to think about. Poor handling of records during transitions can erode public trust, invite regulatory scrutiny, and in some cases, lead to real patient harm.
The hard lessons learned from 23andMe’s data breach, bankruptcy and business model shift provide a clear message: health services should evolve their data governance before structures change.
If your organisation is facing a merger, acquisition, or service wind-down, here’s a practical roadmap for ensuring data governance doesn’t become collateral damage.
The 23andMe cautionary tale
When consumer DNA testing company 23andMe suffered a data breach in 2023 (affecting nearly 7 million users) it became a live case study in what happens when health-related businesses lose control of sensitive personal data. Regulators circled, class actions followed, and many customers began to question what exactly they had consented to. 23andMe has since gone out of business, leaving many people duly concerned about the release of their DNA into the wild.
Just last week, Canadian Privacy Commissioner Philippe Dufresne and UK Information Commissioner John Edwards released the findings from their joint investigation finding that 23andMe “did not develop appropriate safeguards” to prevent the attack. Deficiencies included a lack of what many of us would consider basic security controls such as multi-factor authentication, complex password requirements and checks to ensure customers weren’t using credentials that had been compromised in previous data breaches. There were no additional controls to protect raw DNA data from being accessed and downloaded from an account. The UK regulator has imposed a fine of £2.31m – though it is unclear how this will be paid given that the company declared bankruptcy in March 2025 due to falling demand for its services and other financial woes.
With the declaration of bankruptcy, 23and Me announced that they planned to “sell substantially all of its assets”, of which their data holdings are the largest. With 23and Me operating in many jurisdictions that don’t include a right to deletion, this has left many consumers potentially in a situation of their genetic information being sold to an unknown enterprise, which they certainly would not have expected or consented to. A lawsuit filed in multiple US states is insisting that the company needs explicit consent from each individual before they can sell the data, but even if successful, this lawsuit will only cover a portion of the data held (i.e. that of US customers).
This is a cautionary tale for consumers too of course, and it is getting harder to ignore the reality that companies are risky custodians for personal information like our DNA, which has the ability to affect so many aspects of our lives.
Getting ahead of mergers: A 12-month, 6-month, 3-month plan
So, how does this relate to the broader health system? The example of 23andMe may seem far from the remit of public hospitals, but the principle is the same — if your business model changes or fails, your data handling obligations don’t vanish.
From consolidations such as the creation of Primary Health Networks through the merging of Medicare Locals, to the amalgamation of Western Health with Djerriwarrh Health Services, organisational change is a fact of life in the health system, and it should be approached systematically. Technology, workflows, and recordkeeping protocols need to be synchronised well in advance to avoid operational chaos or unintentional privacy breaches.
Establishing good conditions for transferring health records takes time. By analogy, it takes longer to build a solid house than a makeshift one. Both need maintenance, but a house built on a solid foundation with quality materials may need a tweak here and there, while the house of sticks is easily blown down and will require a complete rebuild sooner than you think.
Before a merger you should expect a 12-month+ program of work and the same amount of effort on the other side of Day 1.
Build the foundation
At 12 months out you should build the foundation:
- Inventory: Conduct an audit of all health information systems across merging entities. Classify data holdings by sensitivity, legal obligations, and operational relevance.
- Responsibilities: Identify and document who owns what data—and where data stewardship might shift post-merger.
- Data governance lead: A dedicated person (or small team) should be accountable for aligning privacy, security, and interoperability strategies.
Design for transition
At 6 months out, design for transition:
- Policy harmonisation: Align privacy, security, retention, and access policies across entities.
- Allocate resources: Make sure highest risk and reward areas are prioritised.
- Access controls:Review user access levels across systems to ensure that need-to-know access principles are applied consistently.
- Plan for any revised consents: Use the inventory to guide how consents are transitioned or reaffirmed. Ensure they are securely stored, auditable, and consistently managed across systems.
- Data quality: Begin de-duplicating records and resolving discrepancies across systems.
Activate
As you get closer (3 months out), activate:
- Lock down legacy systems: Restrict changes to existing records unless clinically necessary and enable heightened monitoring. This limits data drift during transition.
- Test migrations:Run dry tests of any planned data migrations or integrations. Document outcomes and fix identified issues.
- Communicate:Notify patients, staff, and stakeholders about upcoming changes, outlining how their data is protected, what happens to their data and who to contact with concerns.
The real work of course begins after the merger.
Integration can take 12–24 months after Day 1. During this time, you should be implementing audit and assurance processes over all access to and use and disclosure of health records. You should also be consolidating your tech and your systems and scheduling final migrations. Staff will also need to be educated in navigating new systems and understanding updated privacy and security responsibilities. Finally, before you make significant changes to data handling practices post-merger, do your homework via privacy impact assessments, security assessments and vendor checks.
A note on business wind-downs
Remember, if your health business is winding down, you still have legal obligations to protect patient records. These records retention obligations do not disappear when a business ceases to exist – and in some cases involve long retention periods, particularly for minors. You should inform individuals where their records will be stored or transferred and securely destroy data you are not legally required to retain, with proper documentation.
Contact us
If you’re interested in learning more about privacy and data governance, please contact us.