California AG sues 23andMe over 2023 breach exposing health data

California Attorney General Rob Bonta filed a lawsuit against 23andMe over the company's 2023 breach that exposed sensitive genetic and personal health information belonging to millions of customers. The lawsuit, which names Chrome Holding Co. as the current corporate entity, alleges that 23andMe failed to implement adequate security measures to protect user data.

The 2023 breach compromised customer genetic profiles, health reports, and personal information through credential stuffing attacks. Threat actors exploited weak password practices and obtained unauthorized access to customer accounts, exposing data that users had voluntarily shared for ancestry and health analysis purposes.

Bonta's action contends that 23andMe violated California consumer protection laws by failing to maintain reasonable security safeguards for sensitive personal information. The lawsuit addresses both the company's inadequate technical controls and its delayed response and notification following the breach discovery.

The case targets a core vulnerability in consumer genetics services. Users entrust 23andMe with intimate health data tied to their identity and family relationships. Unlike financial information, genetic data cannot be changed if compromised. Criminals exploit breached genetic databases for identity theft, insurance discrimination, and other forms of fraud.

23andMe disclosed the breach in October 2023, initially affecting approximately 14,000 user accounts. The company later acknowledged that approximately 5.3 million customers had their genetic ancestry information and health traits accessed through the credential stuffing attacks.

The lawsuit reflects growing regulatory scrutiny of direct-to-consumer genetic testing companies. States and federal agencies have increasingly demanded that companies handling genetic data implement encryption, multi-factor authentication, and robust incident response protocols. California's action serves as a warning that companies storing sensitive personal health information face legal liability when their security programs fall below industry standards.

The case underscores the need for genetic testing providers to treat customer data with the same security rigor applied to healthcare providers and financial institutions.