California sues 23andMe over genetic data breach affecting 6.9 million users
The genetics testing company 23andMe was sued on Thursday by California Attorney General Rob Bonta, over a 2023 data breach that exposed genetic and other personal information of an estimated 6.9 million US customers.
-
California sued 23andMe over a 2023 data breach that exposed sensitive genetic and ancestry data tied to 6.9 million US customers.
-
The state accuses the company of ignoring warning signs, downplaying the breach, and failing to properly protect highly sensitive DNA information.
-
The lawsuit adds new legal pressure as 23andMe continues navigating bankruptcy fallout and privacy concerns surrounding customer genetic data.
In a complaint filed in San Francisco Superior Court, California accused 23andMe of ignoring numerous warnings that its systems had been compromised and downplaying the severity of the data breach, which exposed information about customers' health, genetic predispositions, biological relatives, ancestry and ethnicity.
The 23andMe breach began in April 2023 and lasted about five months. Bonta said about 856,000 Californians were affected.
"This data breach, and the company's handling of it, was entirely unacceptable," Bonta said in a conference call with reporters.
Neither 23andMe nor its lawyers immediately responded to requests for comment. The lawsuit was filed against Chrome Holding Co, the legal name for 23andMe.
Bonta said he is seeking civil fines that could total "multiple millions" of dollars for violations of California's Genetic Information Privacy Act and state consumer protection laws.
The lawsuit came 14 months after 23andMe filed for bankruptcy in St. Louis, and Bonta acknowledged "we would need to work through the bankruptcy (process) to collect any judgment."
California sued four months after the federal judge overseeing 23andMe's bankruptcy granted final approval for a $30 million to $50 million fund to resolve most US customer claims from the data breach.
That settlement also resolved accusations that 23andMe did not tell customers with Chinese and Ashkenazi Jewish ancestry that the hacker appeared to have targeted them, and offered their information for sale on the dark web.
Based in Palo Alto, California, 23andMe was founded in 2006 and went public in 2021.
It filed for Chapter 11 protection from creditors in March 2025, citing the data breach and related litigation, as well as increased competition and falling demand for genetics testing products.
Last July, TTAM Research Institute, a nonprofit controlled by 23andMe co-founder Anne Wojcicki, bought 23andMe's assets for $305 million.
Has your password leaked?
Bonta opposed that sale on privacy grounds, saying California law gave consumers a right to consent to any transfer of their "most sensitive personal data." He said that the challenge remains pending.
The UK consumer watchdog, the Information Commissioner's Office, fined the genetics testing company £2.31 million ($3.1M) last June for failing to take adequate measures to secure sensitive user data before the incident.
Unlock more exclusive Cybernews content on YouTube.
