California sues 23andMe over large 2023 data breach

The genetics testing company 23andMe is being sued by California Attorney General Rob Bonta, over a 2023 data breach that exposed genetic and other personal information of an estimated 6.9 million US customers.

In a complaint filed in San Francisco ‌Superior Court, California accused 23andMe of ignoring numerous ‌warnings ‌that its systems had been compromised and downplaying ‌the severity of the data breach, which ⁠exposed information about customers' health, genetic predispositions, biological relatives, ancestry and ethnicity.

The breach began in April 2023 and lasted about five months. Bonta said about 856,000 Californians were affected.

"This data breach, and the ​company's handling of it, was entirely unacceptable," Bonta said in a conference call with reporters.

Neither 23andMe nor its lawyers ⁠immediately responded to requests for comment. The lawsuit was filed against Chrome Holding Co, the legal name for 23andMe.

Bonta said he is seeking civil fines that could total "multiple millions" of dollars for violations of California's Genetic Information Privacy Act and state consumer protection laws.

The lawsuit came 14 months after 23andMe filed for bankruptcy in St. Louis, and Bonta acknowledged "we would need to work through the bankruptcy (process) to ​collect any judgment."

California sued four months after ⁠the federal judge overseeing 23andMe's bankruptcy granted final ⁠approval for a US$30 million to US$50 million ($42 million to $70 million) fund to resolve most US customer claims from the ​data breach.

That settlement also resolved accusations that 23andMe did not tell ‌customers with Chinese ⁠and Ashkenazi Jewish ancestry that the hacker appeared to have targeted them, and offered their information for sale on the dark web.

Based in Palo Alto, California, 23andMe was ‌founded in 2006 and went public in 2021.

It filed for Chapter 11 protection from creditors in March 2025, citing the data breach and related litigation, as well as increased competition and falling demand ​for genetics testing products.

Last July, TTAM Research Institute, a nonprofit controlled by 23andMe co-founder Anne Wojcicki, bought 23andMe's assets for US$305 million.

Bonta opposed that sale on privacy grounds, saying ‌California law gave ⁠consumers a right to ​consent to any transfer of their "most sensitive personal data." He said that challenge remains pending.