California AG sues 23andMe over 2023 breach exposing health data

California Attorney General Rob Bonta filed a lawsuit against 23andMe, now Chrome Holding Co., over a 2023 data breach that exposed nearly 7 million customers, including 855,541 Californians. The breach was caused by a credential‑stuffing attack that targeted accounts with weak credentials and a coding error in the DNA Relatives feature that allowed widespread data exposure. The leaked data included genetic information, health predisposition data, ancestry and ethnicity information, biological relatives, and DNA matches. 23andMe faced multiple lawsuits, regulatory fines, and a bankruptcy filing in early 2024.

The AG alleges that 23andMe failed to implement reasonable safeguards against credential‑stuffing, missed opportunities to detect the intrusion, and misled the public about the severity of the breach. The lawsuit seeks injunctions and statutory penalties ranging from $1,000 to $7,500 per violation under several California laws, including the Genetic Information Privacy Act and the CCPA. 23andMe’s claims that the exposed data was largely public and that customers’ password reuse caused the breach are contested by the AG. The case underscores the importance of robust authentication, code review, and transparent communication in handling sensitive genetic data.