California Sues 23andMe Over 2023 DNA Data Breach

California Attorney General Rob Bonta filed a civil lawsuit Friday against genetic-testing company 23andMe for failing to protect customer DNA data ^[1].

The legal action highlights the vulnerability of highly personal biometric information and the potential for state-level accountability when private companies fail to secure sensitive health data.

The lawsuit, filed in San Francisco Superior Court, centers on a massive cyberattack that occurred in 2023 ^[2]. According to the filing, the breach exposed the DNA and health data of approximately 7 million customers [3, 4]. The company, which now operates as Chrome Holding Co., is accused of maintaining inadequate security protocols that allowed the intrusion to occur ^[5].

Bonta said the company's security measures are "lax" and it failed to adequately investigate warnings that its systems had been compromised ^[1]. The state alleges that 23andMe did not act on these warnings, leaving millions of users' most private biological information exposed to bad actors [1, 2].

This case marks a significant escalation in the state's efforts to enforce data privacy standards. The lawsuit alleges that the company failed to protect millions of customers' sensitive DNA data during the attack ^[6]. Because genetic data is immutable, unlike a password or credit card number, the impact of such a breach is permanent for the affected individuals.

The state's legal challenge focuses on the gap between the company's public promises of security and the actual state of its internal defenses. Bonta said the company failed to protect the data despite the sensitivity of the information involved ^[6].

23andMe has not yet provided a detailed public response to the specific allegations in the San Francisco Superior Court filing [2, 5].