California AG Files Lawsuit Over 23andMe Data Breach

California Attorney General Rob Bonta has filed a lawsuit against the genetic testing company formerly known as 23andMe over its 2023 data breach that affected almost 7 million Americans. The lawsuit alleges multiple violations of state consumer privacy and data protection laws. 23andMe is a provider of direct-to-consumer DNA testing services. Consumers purchase kits for collecting saliva samples, which are sent to the company for DNA analysis. Consumers are given a report detailing their ancestry, ethnicity, and genetic health predispositions, and can access a platform that allows them to trace their biological relatives. In 2023, 23andMe discovered that around 14,000 accounts had been subject to unauthorized access over a period of around 5 months, resulting in a breach of the personal and genetic information of 6.9 million individuals, including 855,541 California residents. Access to the accounts was gained using a technique known as credential stuffing. Credentials obtained in a data breach on one platform are used to try to access accounts another platform. The technique only works if users reuse their usernames and passwords on multiple platforms. In the case of the 23andMe attack, some of the credentials were stolen from MyHeritage, a separate genealogy site that 23andMe encouraged its users to set up an account with. The data breach was discovered when the threat actor offered the stolen data for sale on a dark web hacking forum in October 2023. Initially, 23andMe downplayed the incident, maintaining that there had been no breach of its systems, placing the blame on customers for the poor security practice of re-using credentials on multiple platforms. 23andMe also said the breach involved data from its DNA Relatives feature, which was essentially publicly available information. 23andMe paid the threat actor to remove data that had been posted online, stop any sale of stolen data, and to receive information about the vulnerabilities that were exploited by the threat actor to access data. 23andMe, which filed for Chapter 11 bankruptcy protection in March 2025, faced class action litigation over the data breach and agreed to pay $30 million to settle claims related to the data breach, then increased the settlement fund to up to $50 million. The settlement received final approval from a judge in January 2026. The California Department of Justice, part of a multistate coalition that investigated the data breach, determined that security vulnerabilities were exploited that should not have existed, and that the company’s handing of the breach was “entirely unacceptable.” The investigation determined that there was a well-known risk of unauthorized account access through credential stuffing, yet 23and Me failed to implement reasonable and appropriate security procedures to reduce risk. The data breach was only detected when the threat actor offered stolen data for sale in October 2023. AG Bonta alleged that 23andMe missed several opportunities to detect the credential stuffing attack, such as a suspicious spike in login attempts in July 2023, and a Reddit post discussing a potential 23andMe data breach in August 2023. A coding error in the DNA Relatives feature meant doctored queries could be sent to the 23andMe database, and when creating and implementing its data security protocols, 23andMe failed to properly account for genetic data and its high level of sensitivity. 23andMe informed its customers that it adhered to the highest industry standards for data security; when its security practices were far below industry standards. Further, when the breach was announced, AG Bonta alleges that 23andMe made misleading statements, repeatedly stating that there had been no breach of 23andMe systems, despite the threat actor informing the company of multiple exploitable vulnerabilities within its systems, some of which were exploited in the attack. The state Attorney General’s lawsuit was filed in the San Francisco Superior Court, California, and alleges that the company failed to implement and maintain reasonable and appropriate security procedures and practices, made untrue and misleading statements regarding its security measures and practices prior to the data breach, as well as misleading statements about the circumstances of the breach. Those failures are alleged to have violated the California Genetic Information Privacy Act, Reasonable Data Security Law, False Advertising Law, Unfair Competition Law, and the California Consumer Privacy Act. The lawsuit seeks millions of dollars in civil fines to resolve the alleged violations. The California Attorney General has also challenged 23andMe’s sale of consumers’ genetic information and materials in bankruptcy. That lawsuit is pending in the in U.S. Bankruptcy Court for the Eastern District of Missouri. The post California AG Files Lawsuit Over 23andMe Data Breach appeared first on The HIPAA Journal .