The 23andMe health data breach is facing renewed scrutiny after California Attorney General Rob Bonta filed a lawsuit against the genetic testing company over its handling of the 2023 cyberattack. State officials claim the company failed to implement reasonable security protections despite storing highly sensitive genetic and personal information.
The lawsuit adds further legal pressure to a company already dealing with lawsuits, regulatory scrutiny, and growing concerns over consumer privacy in the genetic testing industry.
California AG Alleges Weak Security Practices
California’s attorney general argues that 23andMe did not adequately protect customer accounts before the breach occurred. According to the complaint, the company failed to require multi-factor authentication even though credential-based attacks had become increasingly common across online platforms.
Officials claim attackers were able to exploit reused usernames and passwords from previous unrelated data breaches to access customer accounts. The lawsuit argues stronger authentication protections could have reduced the scale of the incident.
The state also alleges that 23andMe continued collecting and storing sensitive customer information while failing to apply stronger safeguards expected for health and genetic data.
Attack Exposed Millions of Customer Profiles
The 2023 breach affected approximately 6.9 million users through a credential-stuffing campaign. Attackers reportedly gained access to a smaller number of accounts directly before expanding their reach through the company’s DNA Relatives feature.
Researchers said the attackers were able to collect information connected to other users through ancestry-sharing features inside the platform. This dramatically increased the number of affected profiles.
Exposed data reportedly included names, profile photos, ancestry reports, birth years, geographic locations, family connections, and other account details tied to genetic profiles.
The breach quickly became one of the most high-profile privacy incidents involving consumer genetic data.
Genetic Data Raises Long-Term Privacy Concerns
Privacy experts warn that genetic information creates unique security and ethical concerns because it cannot be changed after exposure. Unlike passwords or payment cards, biological data remains permanently tied to an individual.
California officials argue that companies handling genetic and health-related information should follow stricter security standards due to the sensitivity of the data involved.
The lawsuit claims consumers trusted 23andMe with deeply personal information that could reveal ancestry, family relationships, and potential health-related insights. Regulators now question whether the company took sufficient steps to protect that information before the attack occurred.
23andMe Faces Growing Legal Pressure
The company has faced multiple lawsuits and investigations since the breach became public. Regulators and privacy advocates continue examining whether 23andMe acted quickly enough to improve account protections after warning signs emerged across the industry.
Following the incident, the company introduced mandatory multi-factor authentication and additional security measures aimed at preventing future credential abuse attacks.
However, critics argue those protections should have been implemented before millions of records became exposed.
The case may influence how regulators approach cybersecurity requirements for businesses that manage genetic and health-related information in the future.
Conclusion
The 23andMe health data breach continues generating legal and privacy concerns nearly three years after the cyberattack exposed millions of customer records. California’s lawsuit claims the company failed to implement stronger account protections despite handling highly sensitive genetic data. As the legal battle moves forward, the case could shape future expectations for how organizations secure personal health and ancestry information.
0 responses to “23andMe Health Data Breach Triggers Lawsuit From California AG”