California AG sues 23andMe over 2023 breach exposing health data

California Attorney General Rob Bonta has initiated a high-stakes legal battle against 23andMe, recently reorganized as Chrome Holding Co., following a catastrophic 2023 data breach that compromised the sensitive genetic profiles of millions. The lawsuit alleges that the consumer genetics giant failed to implement reasonable security measures, leaving the biological blueprints of its users vulnerable to exploitation. This litigation marks a critical turning point in the intersection of digital privacy and biotechnology, moving beyond standard consumer data protections into the much more personal—and permanent—realm of DNA security.

The legal action stems from a breach that occurred between April and September 2023, though the full scale of the incident only became clear months later. Initially, 23andMe reported that a subset of accounts had been compromised through credential stuffing—a technique where hackers use passwords leaked from other sites to gain unauthorized access. However, the scope expanded dramatically when it was revealed that by accessing just 14,000 individual accounts, hackers were able to scrape the data of 6.9 million other users who had opted into the "DNA Relatives" feature. This vulnerability turned the company’s core selling point—the ability to find family connections—into a systemic security flaw.

Historically, 23andMe was the standard-bearer for the direct-to-consumer genetic testing industry, transforming niche science into a mainstream cultural phenomenon. For years, privacy advocates warned that a centralized repository of human genomes represented a "honeypot" for malicious actors and foreign intelligence services. Despite these warnings, the company flourished, accumulating one of the world’s most valuable biological datasets. The current lawsuit suggests that while 23andMe was aggressive in its marketing and data collection, it was negligent in its stewardship, failing to update its defensive posture as its profile and the threats against it grew.

At the heart of the complaint is the mechanic of "security by design." The Attorney General argues that 23andMe failed to mandate multi-factor authentication (MFA) despite the uniquely sensitive nature of its assets. Furthermore, the company is accused of failing to adequately monitor for unusual traffic patterns that would have signaled a credential-stuffing campaign in its infancy. By allowing an unauthorized user to piggyback off one person's consent to view relatives’ data, the company inadvertently created a lateral movement pathway for hackers to extract information on millions of people who had never been directly "hacked" themselves.

The industry implications of this lawsuit are profound. This is no longer just about leaked credit card numbers or email addresses; genetic data cannot be changed or canceled. A compromised genome is a permanent liability. This case sets a precedent for how the California Consumer Privacy Act (CCPA) and the Confidentiality of Medical Information Act (CMIA) apply to the burgeoning "wellness" and ancestry tech sector. It sends a clear signal to Silicon Valley that health-adjacent data will be treated with the same regulatory weight as traditional medical records, potentially forcing an expensive overhaul of security protocols across the entire biotech industry.

Looking forward, the survival of 23andMe itself remains an open question. The company has faced a staggering decline in market valuation, board resignations, and a pivot toward becoming a "subscription-based health company" under its new holding structure. Observers should watch for whether this lawsuit triggers a domino effect of similar actions from other state attorneys general or federal regulators like the FTC. Moreover, the outcome will likely dictate future standards for "informed consent," specifically regarding how much risk a consumer truly understands they are taking when they upload their most intimate biological information to the cloud.