California AG sues 23andMe over 2023 breach exposing health data
California Attorney General Rob Bonta filed a lawsuit against 23andMe, now operating as Chrome Holding Co., following a 2023 data breach that compromised the genetic and personal information of millions of customers. The breach, which came to light in October 2023, exposed data including names, birth years, ancestry reports, and health-related genetic information. The lawsuit alleges that 23andMe failed to implement reasonable security measures, such as multi-factor authentication, and did not adequately protect against credential stuffing attacks. As a result, attackers accessed accounts of users who reused passwords from other sites. The complaint seeks civil penalties, injunctive relief, and restitution for affected California residents. This case highlights the heightened risks when companies handle sensitive health data and the legal consequences of inadequate cybersecurity practices.
Developers handling sensitive user data face increased liability for security failures.