Skip to content
Tech News
← Back to articles

California AG sues 23andMe over 2023 breach exposing health data

2026-05-29 | original
read original get 23andMe Health Data Security Kit → more articles
Why This Matters

The lawsuit against 23andMe highlights the critical importance of robust cybersecurity measures in protecting sensitive health and genetic data. For consumers and the tech industry, it underscores the risks of inadequate security practices and the potential consequences of data breaches involving personal health information. This incident serves as a stark reminder that even leading biotech firms must prioritize data security to maintain trust and comply with regulations.

Key Takeaways

California Attorney General Rob Bonta filed a lawsuit against 23andMe, now Chrome Holding Co., over the company’s failure to protect sensitive customer genetic and personal information.

Improper security led to a high-profile data breach in 2023 that exposed the sensitive information of nearly 7 million customers, including 855,541 Californians.

The incident came to light that year in October, after threat actors offered to sell a large number of records stolen from 23andMe, and leaked data samples (and later larger parts of the dataset) to prove the authenticity of the information.

The California-based company confirmed that the leaked data was genuine and claimed that it had been extracted following a credential-stuffing attack targeting accounts with weak credentials.

Soon, it became clear that the attackers had exfiltrated data from users opting into the platform's 'DNA Relatives' feature, and then accessed a second, much larger set of accounts that didn’t use the feature.

In total, the incident exposed data of roughly 6.9 million customers, including genetic data, health predisposition information, ancestry and ethnicity information, biological relatives, and DNA matches.

By the end of 2023, the company was already facing multiple lawsuits. In early 2024, national data protection authorities launched investigations that ultimately resulted in multi-million-dollar fines, leading the company to file for bankruptcy.

The latest lawsuit filed by AG R. Bonta claims that 23andMe failed to implement reasonable safeguards against credential-stuffing attacks, missed multiple opportunities to detect the intrusion, and failed to catch the coding error in DNA Relatives that led to the widespread breach.

In addition to the data protection failures, Bonta also underlines the misleading public statements 23andMe made before and after the incident.

Specifically, the firm claimed before the incident that its security met high standards. After the breach, it attempted to downplay the incident's severity, suggesting that the exposed data was largely public, and blamed customers for password reuse, stating that its systems had not been breached.

... continue reading

Explore topics: 23andme genetic data data breach california attorney general chrome holding co
Related:
California sues 23andMe over 2023 data breach that affected 7 million users
Charter Communications data breach affects 4.9 million accounts
23andMe Sued by California Over Massive 2023 Data Breach
California Attorney General sues 23andMe successor for 2023 data breach
A security lapse at prison pay phone service Pay Tel publicly exposed over 300K callers’ driver’s licenses

© 2026 GoKawiil

About | Editorial Policy | Contact