California Attorney General Rob Bonta has filed a major lawsuit against genetic testing company 23andMe, accusing the firm of failing to protect the sensitive personal and genetic information of millions of users during a massive 2023 cyberattack.

The lawsuit alleges that 23andMe ignored security warnings, failed to implement basic cybersecurity protections, and misled customers about the severity of the breach that ultimately exposed the data of nearly 6.9 million users nationwide, including more than 855,000 Californians.

The legal action comes amid growing concerns about genetic privacy, cybersecurity accountability, and the future ownership of consumer DNA data following 23andMe’s financial struggles and bankruptcy proceedings.

What Is the Lawsuit About?

The lawsuit was filed against Chrome Holding Co., the corporate entity operating after 23andMe’s restructuring and bankruptcy process.

According to California officials, the company failed to adequately secure highly sensitive customer information, including:

  • Raw genetic data
  • Health reports
  • Genetic predispositions
  • Family relationship information
  • Ancestry records
  • Ethnicity data

State investigators claim the company knew about security weaknesses but failed to take reasonable steps to protect customer information before the breach occurred.

Attorney General Bonta stated that companies collecting highly sensitive biological and genetic information have a legal obligation to implement strong security safeguards.

Inside the 2023 Data Breach

The breach traces back to a large-scale credential stuffing attack discovered in 2023.

Attackers reportedly used usernames and passwords leaked from previous breaches on other platforms to gain access to approximately 14,000 customer accounts. Because of the interconnected nature of 23andMe’s DNA-sharing features, the compromise rapidly expanded and exposed information linked to millions of additional users.

Researchers later determined that the attackers remained active within affected systems for months before the breach was fully investigated.

According to California’s complaint, warning signs were reportedly visible long before the company publicly acknowledged the scale of the incident.

Genetic Data Appeared on the Dark Web

One of the most alarming aspects of the incident was the publication and sale of stolen data on underground forums.

Investigators say hackers advertised access to user information that included ancestry-related data and demographic details. Reports indicated that certain stolen datasets specifically referenced individuals of Chinese and Ashkenazi Jewish descent, raising additional concerns about potential discrimination, targeting, and misuse of genetic information.

Unlike passwords or credit card numbers, genetic information cannot simply be changed after exposure.

Privacy experts warn that DNA data remains permanently linked to individuals and can potentially affect family members across multiple generations.

Why This Breach Is Different

Most data breaches involve credentials, payment information, or contact details.

The 23andMe incident is different because it involved biological and genetic information—one of the most sensitive categories of personal data.

Genetic data can reveal:

  • Family relationships
  • Health risks
  • Medical predispositions
  • Ethnic background
  • Biological ancestry
  • Hereditary conditions

Cybersecurity and privacy experts argue that the long-term consequences of genetic data exposure remain largely unknown because such information can retain value for decades.

Bankruptcy Complicates Privacy Concerns

The lawsuit arrives during an already turbulent period for 23andMe.

The company filed for Chapter 11 bankruptcy protection in 2025 after years of financial difficulties. During the bankruptcy process, concerns emerged over whether customer genetic data could be transferred or sold as part of company assets.

Several states previously launched legal efforts to prevent the sale of customer DNA information without explicit consent, arguing that genetic data should receive stronger protections than ordinary consumer information.

California officials have continued challenging aspects of the company’s restructuring and data transfer plans, citing the state’s Genetic Information Privacy Act.

Allegations of Misleading Consumers

Beyond the cybersecurity failures, California’s lawsuit also accuses the company of misleading users regarding the extent of its privacy protections.

According to the complaint, 23andMe publicly emphasized its commitment to privacy and security while allegedly failing to implement safeguards that experts consider standard for protecting sensitive information.

Investigators claim the company:

  • Ignored security warnings
  • Failed to properly monitor suspicious activity
  • Did not adequately respond to early breach indicators
  • Understated the seriousness of the incident
  • Delayed meaningful protective actions

The state is seeking civil penalties and court orders intended to prevent similar violations in the future.

Growing Debate Around Genetic Privacy

The lawsuit is fueling a larger debate about who ultimately owns genetic information and how companies should be allowed to use it.

As consumer DNA testing services continue to grow, lawmakers and privacy advocates are increasingly questioning whether existing regulations are sufficient to protect biological data.

Unlike traditional personal information, genetic data contains deeply personal insights not only about an individual but also about their relatives and future generations. This has led many experts to call for stronger protections and stricter consent requirements for genetic information.

What Customers Should Do

Privacy experts recommend that users of genetic testing platforms take proactive steps to secure their information.

Recommended Actions

  • Enable multi-factor authentication (MFA)
  • Use unique passwords for genetic testing accounts
  • Review privacy settings regularly
  • Download and securely store personal genetic reports
  • Revoke unnecessary data-sharing permissions
  • Delete stored genetic samples if no longer needed
  • Monitor account activity for suspicious access

California officials have previously encouraged customers concerned about privacy risks to review their account settings and consider removing stored genetic information if desired.

The Bigger Picture

The lawsuit against 23andMe may become one of the most significant legal battles involving genetic privacy and cybersecurity in recent years.

The outcome could influence how organizations collect, store, transfer, and protect biological data in the future.

As cyberattacks increasingly target sensitive health and genetic information, regulators worldwide are expected to place greater scrutiny on companies handling consumer DNA databases.

For now, the case serves as a powerful reminder that protecting genetic information requires the same level of attention as protecting financial, medical, and national security data.

Key Takeaways

  • California has sued 23andMe over its handling of the 2023 data breach.
  • The breach exposed the sensitive information of nearly 6.9 million users.
  • Stolen data included genetic records, health information, ancestry details, and family relationship data.
  • Officials allege the company ignored security warnings and failed to implement basic protections.
  • The lawsuit comes amid ongoing concerns surrounding 23andMe’s bankruptcy and genetic data ownership.

  • The case could set important precedents for future genetic privacy and cybersecurity regulations.