California Attorney General Rob Bonta sued the genetic testing company formerly known as 23andMe over its handling of a 2023 data breach that exposed nearly 7 million users’ sensitive personal information, including genetic data.
The company, now doing business as Chrome Holding Co., publicly touted its commitment to data privacy and security, yet it ignored numerous warnings that systems had been compromised and misled consumers’ about the fate of their sensitive data, the state enforcer said.
“23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach,” Bonta said in a press release. “Our investigation found that the company failed to take basic steps to protect users’ data—data including the sensitive personal information, family histories, and health conditions of consumers.”
While 23andMe was negotiating with—and paying a ransom to—the hacker, the company continued to assure consumers it hadn’t experienced a security incident, downplayed the sensitivity of the stolen data, and shifted blame to users, the Democratic attorney general said. 23andMe violated the California Consumer Privacy Act and Genetic Information Privacy Act as well as the state’s unfair competition law, among other statutes.
Due to 23andMe’s lax security practices, the hacker breached its systems undetected for five months using account usernames and passwords stolen in previous data breaches, Bonta said. Despite being aware of the risks, 23andMe’s security team didn’t check for or prevent re-use of credentials, the state enforcer added.
The ensuing sale of the genetic data on the dark web took place amid mounting anti-Asian American and Pacific Islander and antisemitic hate and violence, Bonta said, and called attention to the personal and identifying nature of the information.
“This is disturbing and incredibly dangerous,” the attorney general said.
23andMe filed for bankruptcy about two years after the breach, sparking concerns from more than two dozen attorneys general and the Federal Trade Commission over the company’s sale of the trove of sensitive data during that process. Thursday’s lawsuit is separate from Bonta’s pending challenge to that sale of Californians’ genetic information.
A copy of the complaint wasn’t immediately available and a press release didn’t specify the remedies Bonta’s office is seeking.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.