California AG Sues 23andMe Over Genetic Data Breach
California Attorney General Rob Bonta has filed a lawsuit against 23andMe — now operating under the name Chrome Holding Co. following its bankruptcy and acquisition — over the company's failure to adequately protect sensitive customer data in its 2023 data breach. The breach exposed genetic ancestry, health predisposition data, and personal information belonging to approximately 6.9 million users.
The lawsuit marks one of the most high-profile legal actions taken against a consumer genomics company in the United States and underscores the growing regulatory attention on the unique risks posed by genetic data — information that cannot be changed, is inherently familial in nature, and carries permanent implications for those exposed.
What Happened: The 2023 Breach
| Detail | Information |
|---|---|
| Company | 23andMe (now Chrome Holding Co.) |
| Attack method | Credential stuffing |
| Initial disclosure | October 2023 |
| Users directly compromised | ~14,000 accounts (credential stuffing) |
| Total records exposed | ~6.9 million (via DNA Relatives feature) |
| Data types | Genetic ancestry, health predispositions, display names, birth years, locations |
The 2023 breach began as a credential stuffing attack, where threat actors used previously leaked username/password combinations to access approximately 14,000 23andMe accounts. The attacker then leveraged the platform's DNA Relatives feature — which allows users to see and share data with genetic relatives — to scrape data from the 6.9 million accounts connected to those initially compromised profiles.
The breach became particularly alarming because it disproportionately exposed Ashkenazi Jewish and Chinese heritage users, data that was specifically highlighted and offered for sale in threat actor forums. 23andMe disclosed the breach in October 2023, acknowledged the extent in December 2023, and ultimately entered bankruptcy proceedings in 2025.
What the Lawsuit Alleges
California's lawsuit against Chrome Holding Co. centers on several key failures:
1. Inadequate Security Measures
The complaint alleges that 23andMe failed to implement reasonable security practices to protect against credential stuffing, including:
- Failing to require or enforce multi-factor authentication (MFA) for user accounts prior to the breach
- Insufficient rate-limiting on login attempts
- Failure to detect or respond to the large-scale credential stuffing campaign in a timely manner
2. Delayed Notification
The AG alleges that 23andMe was slow to notify affected customers and regulators, violating California's breach notification obligations under the California Consumer Privacy Act (CCPA) and the California Data Breach Reporting Law (Civil Code Section 1798.82).
3. Failure to Safeguard Sensitive Genetic Information
23andMe held among the most sensitive categories of personal data — genetic information — which is specifically protected under California's Genetic Information Privacy Act (GIPA). The lawsuit argues the company did not apply security controls commensurate with the sensitivity of the data it collected and retained.
4. Misleading Statements
The complaint further alleges that post-breach communications from 23andMe were misleading about the scope of the compromise and the company's security posture.
Why Genetic Data Breaches Are Uniquely Dangerous
Unlike passwords or credit card numbers, genetic data cannot be changed. Its exposure carries consequences that are:
- Permanent — the information is immutable
- Familial — genetic data reveals information about biological relatives who never consented to 23andMe's terms of service
- Health-sensitive — predisposition data for conditions like cancer, Alzheimer's, and hereditary diseases
- Identity-linked — ancestry and ethnic heritage data that can enable targeted discrimination or persecution
- Insurance-impactful — despite GINA protections in the U.S., genetic data can affect life, disability, and long-term care insurance decisions
23andMe's Collapse and the Chrome Holding Acquisition
23andMe filed for Chapter 11 bankruptcy in March 2025 following years of financial losses and the reputational damage from the breach. The company's genetic database — containing samples from over 15 million customers — was subsequently sold to Chrome Holding Co. as part of the bankruptcy proceedings.
The acquisition raised immediate concerns from privacy advocates and regulators about who now controls one of the world's largest private collections of human genetic data and what commitments, if any, bind the new owner to 23andMe's original privacy policy promises.
California's AG specifically named Chrome Holding Co. in the lawsuit, seeking to hold the successor entity accountable for 23andMe's pre-acquisition failures and to ensure ongoing obligations to affected customers.
Regulatory and Legal Landscape
This lawsuit represents a significant escalation in genetic data privacy enforcement:
| Development | Description |
|---|---|
| California CCPA action | First major state AG suit over a genomics breach |
| FTC attention | The FTC has previously flagged genetic data companies for privacy risks |
| GIPA enforcement | California's Genetic Information Privacy Act offers specific protections |
| Class actions | Multiple class-action lawsuits were filed against 23andMe following the 2023 breach |
| Congressional scrutiny | The breach prompted calls for federal genetic privacy legislation |
What Affected Customers Should Know
If you were a 23andMe customer:
- Your data may have been exposed — check if your email was part of the breach via services like Have I Been Pwned
- You cannot un-expose genetic data — the information about your ancestry and health predispositions may now be in threat actor databases
- Monitor for targeted phishing — attackers who obtained your data may attempt highly tailored social engineering attacks
- Review data deletion requests — 23andMe allowed customers to request data deletion; Chrome Holding's handling of such requests should be monitored
- Watch for insurance and discrimination risks — consult legal counsel if you believe genetic data exposure has affected you materially
- Follow the lawsuit — outcomes may include notification requirements, credit monitoring offers, or monetary settlements for affected customers
Industry Implications
The 23andMe breach and subsequent lawsuit have broad implications for the direct-to-consumer genomics industry:
- Consumer genomics companies hold data that is fundamentally different in risk profile from typical consumer services — the regulatory framework must reflect this
- MFA enforcement should be mandatory, not optional, for accounts holding health or genetic information
- DNA Relatives and social features create massive blast-radius risks where a small number of compromised accounts can expose millions
- Bankruptcy proceedings that include genetic databases require specific legal safeguards for data subjects — existing bankruptcy law was not designed with genetic data in mind
Source: BleepingComputer