California AG Sues 23andMe Over 2023 Data Breach: CCPA Compliance Lessons for Genetic Data Privacy

What Happened: 23andMe Breach Details

On January 9, 2025, California Attorney General Rob Bonta filed a lawsuit against 23andMe (now Chrome Holding Co.) over a 2023 data breach that exposed sensitive genetic and personal information of nearly 7 million customers, including 855,541 Californians. The breach occurred via credential stuffing attacks and a coding error in the DNA Relatives feature, allowing attackers to exfiltrate raw genetic data, health predispositions, ancestry information, and DNA matches.

The lawsuit alleges that 23andMe failed to implement reasonable security safeguards, lacked multifactor authentication (MFA), and ignored red flags for months before and after the intrusion. Additionally, the company is accused of making misleading public statements claiming high security standards while downplaying the breach by blaming customers for weak passwords.

Legal Basis: Multiple California Laws Violated

The California AG's complaint cites violations of several state laws, reflecting the heightened obligations for companies handling sensitive genetic data:

• California Genetic Information Privacy Act (GIPA) – Establishes specific protections for genetic data, including consent requirements and security safeguards.
• California Consumer Privacy Act (CCPA) – Requires reasonable security measures and proper breach notification. Violations can result in statutory damages of $100–$750 per consumer per incident.
• California Reasonable Data Security Law (Civil Code § 1798.81.5) – Mandates businesses to implement and maintain reasonable security procedures.
• False Advertising Law and Unfair Competition Law – Based on alleged misleading statements about security practices.

The state seeks injunctions and civil penalties of $1,000–$7,500 per violation. Notably, 23andMe previously settled a class-action lawsuit over the same breach for $50 million in 2024.

Why It Matters: Implications for Data Privacy Compliance

This lawsuit underscores the severe consequences of inadequate security for sensitive personal data, especially genetic and health information. Key takeaways for compliance teams include:

• Credential stuffing prevention – MFA, rate limiting, and anomaly detection are essential to block automated attacks.
• Breach notification compliance – CCPA requires notification to affected consumers and the California AG without unreasonable delay. Delays or downplaying incidents can lead to additional penalties.
• Data minimization and access controls – Genetic data requires heightened protections under GIPA and similar state laws.
• Transparency obligations – Misleading statements about security practices violate state consumer protection laws.

Companies handling genetic data—whether in healthcare, direct-to-consumer testing, or research—must align with frameworks like the EU AI Act (which classifies AI used in health as high-risk) and GDPR (which imposes strict consent and data protection requirements for genetic data). In the US, the HIPAA Privacy and Security Rules apply to covered entities handling protected health information, while state laws like CCPA and GIPA add additional layers.

What Organizations Should Do: Action Items

1. Conduct a data inventory – Identify all genetic, health, and sensitive personal data you collect, store, or process. Map data flows and assess security controls.
2. Implement strong authentication – Enforce MFA for all user accounts, especially those accessing sensitive data. Use rate limiting and bot detection to prevent credential stuffing.
3. Review breach response plans – Ensure your incident response plan includes timely notification procedures aligned with CCPA (and other applicable state laws) and GDPR 72-hour notification requirements.
4. Perform regular security audits – Test for vulnerabilities like coding errors that could expose data. Engage third-party penetration testers.
5. Update privacy policies and public statements – Avoid overstating security capabilities. Ensure marketing claims match actual practices.
6. Leverage compliance technology – Use platforms like AIGovHub for multi-domain compliance monitoring, vendor risk assessments, and regulatory change tracking. For fraud and breach detection, consider solutions like RisksRadarAI, which uses AI-powered cross-domain signal correlation to detect credential stuffing and other threats early.

Related Resources

For more on data privacy compliance, see our Complete Guide to AI Governance and Data Privacy and vendor marketplace for CCPA and GDPR compliance tools.

This content is for informational purposes only and does not constitute legal advice.