U.S.

California sues 23andMe over data breach, alleges misleading statements

California says 23andMe exposed nearly 7 million users and then downplayed the breach, turning a DNA privacy failure into an accountability test for the biotech industry.

Sarah Chen··2 min read
Published
Listen to this article0:00 min
California sues 23andMe over data breach, alleges misleading statements
AI-generated illustration

California’s top law enforcement officer is making the 23andMe breach case about more than hackers. Attorney General Rob Bonta sued Chrome Holding Co., the company formerly known as 23andMe, in San Francisco Superior Court over a 2023 cyberattack that the state says exposed highly sensitive genetic data and was followed by misleading statements about its severity.

The complaint says the breach affected nearly 7 million users nationwide, including 855,541 Californians. It alleges the company failed to take reasonable measures to protect consumer data, ignored known vulnerabilities and did not properly investigate or respond to warnings that its systems had been compromised. Bonta’s office also says 23andMe misled customers and the public about crucial aspects of the incident, making its security failures and public statements unlawful under California law.

AI-generated illustration
AI-generated illustration

The stakes are unusually high because 23andMe did not handle ordinary account data. Founded in San Francisco, the company became one of the world’s largest direct-to-consumer genetic testing businesses, selling saliva-based DNA analysis and storing raw DNA data to produce ancestry, ethnicity and genetic health reports. The attack first became public on October 6, 2023, and later settlement materials said about 6.4 million U.S. residents were affected. Hackers reportedly used stolen usernames and passwords to access accounts, then pulled additional information through the company’s DNA Relatives and Family Tree features, including data tied to Ashkenazi Jewish and Chinese ancestry.

Data visualization chart
Data Visualisation

Bonta said the company had collected genetic data from millions of people and had an obligation to keep it safe. He also said the data could be sold on the dark web at a time of rising anti-Asian American and Pacific Islander hate and antisemitic violence, adding another layer of harm to a breach that reached far beyond routine identity theft.

The lawsuit lands after a period of financial collapse for the company. In September 2024, 23andMe agreed to a $30 million class-action settlement. It filed for Chapter 11 bankruptcy in March 2025, prompting Bonta to issue a consumer alert on March 21, 2025, urging Californians to delete their genetic data, destroy stored saliva samples if they wished and revoke research consent under state privacy laws. Settlement materials now say final approval of the breach settlement was granted on January 30, 2026, with claims that can include cash payments, health-information claims and five years of Privacy & Medical Shield plus Genetic Monitoring.

For the direct-to-consumer biotech industry, the case is a warning that genetic data is not just another category of consumer information. When a company’s finances weaken, the question becomes whether it can still protect the most personal data it holds, or whether bankruptcy leaves customers exposed twice over.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More in U.S.