California Attorney General Rob Bonta sued the genetic testing company formerly known as 23andMe over its handling of a 2023 data breach that exposed nearly 7 million users’ sensitive personal information, including genetic data.
The company, now doing business as Chrome Holding Co., publicly touted its commitment to data privacy and security, yet it ignored numerous warnings that systems had been compromised and misled consumers’ about the fate of their sensitive data, the state enforcer said.
“23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach,” Bonta said in a press release. “Our investigation found that the company failed to take basic steps to protect users’ data—data including the sensitive personal information, family histories, and health conditions of consumers.”
Chrome Holding Co. didn’t immediately respond to a request for comment.
While 23andMe was negotiating with—and paying a ransom to—the hacker, the company continued to assure consumers it hadn’t experienced a security incident, downplayed the sensitivity of the stolen data, and shifted blame to users, the Democratic attorney general said. 23andMe violated the California Consumer Privacy Act and Genetic Information Privacy Act as well as the state’s unfair competition law, among other statutes.
Due to 23andMe’s lax security practices, the hacker breached its systems undetected for five months using account usernames and passwords stolen in previous data breaches, Bonta said. Despite being aware of the risks, 23andMe’s security team didn’t check for or prevent re-use of credentials, the state enforcer added.
The ensuing sale of the genetic data on the dark web took place amid mounting anti-Asian American and Pacific Islander and antisemitic hate and violence, Bonta said, and called attention to the personal and identifying nature of the information.
“This is disturbing and incredibly dangerous,” the attorney general said.
23andMe filed for bankruptcy about two years after the breach, sparking concerns from more than two dozen attorneys general and the Federal Trade Commission over the company’s sale of the trove of sensitive data during that process. Thursday’s lawsuit is separate from Bonta’s pending challenge to that sale of Californians’ genetic information.
California collaborated with other states to investigate 23andMe’s security practices, Bonta said during a press conference Thursday. He didn’t comment on whether other state attorneys general will bring separate lawsuits.
The attorney general is seeking $1,000 per violation of the state’s genetic privacy law and up to $7,500 for violations of its privacy law, among other penalties that he said could ultimately cost the company millions.
“This action is mostly about civil penalties,” Bonta said during the briefing, noting that 23andMe needs to “be held accountable.”
The case is The People of the State of California v. Chrome Holding Co. et al, Cal. Super. Ct., CGC-26-636891, complaint filed 5/27/26
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.