Overview
California Attorney General Rob Bonta filed suit against Chrome Holding Co. — the corporate entity 23andMe rebranded under following its bankruptcy filing in early 2025 — over a 2023 data breach that compromised the sensitive genetic and ancestry data of approximately 6.9 million customers. The lawsuit seeks civil penalties and other relief, targeting the company's security practices in the period leading up to and following the breach.
23andMe built its business around direct-to-consumer DNA test kits that revealed ancestry composition and genetic predispositions for certain health conditions, placing it squarely in the category of companies handling sensitive health data at scale. Although HIPAA does not formally govern direct-to-consumer genetic testing services, the data involved — including family trees, ethnicity estimates, and health predisposition reports — carries health-privacy implications comparable to clinical records.
The breach originated as a credential-stuffing attack, in which threat actors used login credentials obtained from prior unrelated breaches to access individual 23andMe accounts. Through the platform's DNA Relatives feature, attackers were then able to scrape profile data from millions of additional users who had not themselves been directly compromised.
Key developments
State AG enforcement fills the HIPAA gap. Because 23andMe was not a HIPAA-covered entity, federal OCR had no jurisdiction over the breach. California's action illustrates how state attorneys general are increasingly stepping into enforcement roles where federal health-privacy law does not reach, using consumer-protection statutes and state genetic-privacy laws as the legal basis for accountability.
Successor liability survives bankruptcy. Chrome Holding Co.'s rebranding and bankruptcy reorganization did not extinguish legal exposure. Bonta's lawsuit names the successor entity directly, signaling that corporate restructuring will not reliably shield acquirers or reorganized companies from pre-petition data-security liabilities.
The DNA Relatives feature amplified the breach's scope. What began as unauthorized access to a subset of accounts cascaded into exposure of millions of additional profiles because a social-sharing feature was enabled by default for many users. The architectural decision to link user profiles through an opt-out, rather than opt-in, mechanism is central to the state's allegations about inadequate security design.
Civil penalties are the principal remedy sought. The lawsuit calls for financial penalties rather than injunctive relief tied to remediation, reflecting the state's position that the harm has already occurred and that deterrence — for Chrome Holding and industry peers — is the primary objective.
## Industry impact
The 23andMe breach sits at the intersection of two converging trends: the growth of consumer health-data services outside formal HIPAA coverage, and the expanding use of state enforcement authority to fill resulting accountability gaps. California's Confidentiality of Medical Information Act and its genetic-privacy provisions give the AG statutory tools that mirror, in some respects, HIPAA's civil-penalty structure.
The IBM Cost of a Data Breach Report has consistently identified healthcare as the sector with the highest average breach cost, a figure that now exceeds $10 million per incident in recent years. Genetic data, given its permanence and the sensitivity of what it reveals about both individuals and their biological relatives, represents a category of information where downstream harm is difficult to quantify and impossible to fully remediate — factors that regulators are citing with increasing frequency to justify elevated penalties.
The Federal Trade Commission has separately signaled that deceptive data-security practices by health and genetic-data companies fall within its Section 5 authority. The California action adds state-level civil litigation to that federal regulatory attention, creating a layered enforcement environment for any company that handles health or genetic data outside the formal HIPAA framework.
## What this means for independent practices
- Audit third-party data-sharing arrangements. Practices that have partnered with or referred patients to DTC health or genetic services should document those relationships and assess what data, if any, flows to those vendors.
- Review business associate agreements for data-adjacent vendors. Even where HIPAA does not technically require a BAA with a given vendor, the 23andMe case illustrates that regulators and courts will evaluate the substance of data-security obligations regardless of formal classification.
- Assess patient-facing features for default sharing settings. Any patient portal, health-data aggregator, or app integrated into a practice's workflow should be reviewed for opt-out versus opt-in defaults on data sharing or profile visibility. - Monitor state genetic and health-privacy legislation. California, Texas, Washington, and several other states have enacted or are advancing genetic-privacy statutes that impose obligations independent of HIPAA. Practices operating in multiple states should track these requirements explicitly.
- Brief staff on credential-stuffing risks. The 23andMe attack exploited reused passwords. Staff education on unique credential use and the risks of password reuse across personal and professional accounts remains a first-line defense.
The 23andMe enforcement action demonstrates that health-data liability is not bounded by HIPAA's formal definitions. Independent practices that connect patients to third-party health or genetic services — or that integrate consumer health apps into care workflows — share reputational and potential legal exposure when those services mishandle data. Maintaining documented, periodic reviews of every third-party data relationship is a baseline discipline, not an optional one.
What would have prevented this
Multi-factor authentication (MFA) enforced at account creation: Mandatory MFA would have blocked credential-stuffing attacks even when valid username-and-password pairs were obtained from external breach databases. Requiring MFA as a condition of account access, rather than offering it as an optional setting, closes this vector at the authentication layer.
Opt-in defaults for social and data-sharing features: Designing profile-linking and data-aggregation features to be disabled by default — requiring affirmative user action to enable — limits the blast radius of any single compromised account. The DNA Relatives cascade would have affected a materially smaller population under an opt-in architecture.
Anomalous login detection and rate limiting: Automated controls that flag unusual authentication patterns — high-volume login attempts from unfamiliar IP ranges, rapid sequential access across accounts — can interrupt credential-stuffing campaigns before significant data is accessed. Rate limiting on authentication endpoints raises the cost of automated attacks substantially.
Privileged access monitoring and data-scraping detection: API-level monitoring for abnormal query volumes or bulk profile-data retrieval can identify scraping activity in near-real time. Alerts tied to volumetric thresholds allow security teams to terminate sessions and investigate before full-scale exfiltration is complete.
Data minimization and retention limits: Storing only the data necessary for the service's stated purpose, and deleting or de-identifying data that is no longer operationally required, reduces the value of any successful breach. Limiting what is retained limits what can be taken.