Overview
California Attorney General Rob Bonta filed a lawsuit against 23andMe — now operating as Chrome Holding Co. following the company's bankruptcy and acquisition — over the company's handling of a 2023 credential-stuffing attack that exposed the genetic profiles, ancestry data, and personal health information of approximately 6.9 million customers. The suit alleges that 23andMe failed to implement reasonable security measures and was slow to detect and disclose the breach to affected individuals and regulators.
The 2023 incident began when attackers used previously leaked usernames and passwords from other breaches to gain access to 23andMe accounts. Because the company's DNA Relatives feature allowed customers to share profile data with genetic matches, attackers were able to scrape far more records than the number of directly compromised accounts would suggest. Millions of users had their ethnicity estimates, health predisposition data, and family tree information exposed without ever having their own credentials stolen.
The California AG's action follows a wave of state-level scrutiny of 23andMe that intensified after the company filed for bankruptcy in early 2025. The lawsuit targets both the breach itself and the company's broader data governance practices, raising questions about how consumer genetic data companies handle sensitive health information outside formal HIPAA oversight.
## Key developments
Credential stuffing as a vector for health data exposure. The attack exploited password reuse across platforms — a long-documented vulnerability — to gain initial access. The subsequent scraping of the DNA Relatives feature turned a limited account compromise into a mass health-data exposure, illustrating how product design choices can amplify the downstream impact of a credential attack.
State AG authority filling the HIPAA gap. 23andMe is not a HIPAA-covered entity, meaning the Office for Civil Rights has no direct enforcement jurisdiction over the breach. California's action under state consumer protection and data security law demonstrates how state attorneys general are increasingly acting as de facto regulators for the consumer health-data sector that sits outside federal health privacy law.
Bankruptcy complicates victim recourse. The company's Chapter 11 filing and subsequent acquisition by Chrome Holding Co. create significant uncertainty about whether affected customers will receive meaningful relief. The AG's suit is an attempt to hold the successor entity accountable, but asset sales in bankruptcy proceedings often limit the practical remedies available to injured parties.
Delayed detection and disclosure cited as aggravating factors. The complaint reportedly alleges that 23andMe did not identify the breach promptly and did not notify affected customers with adequate speed, compounding the harm. Regulators across both HIPAA and state-law frameworks have consistently treated delayed notification as an independent compliance failure, separate from the underlying security lapse.
## Industry impact
The 23andMe breach is among the largest exposures of genetic and health-adjacent consumer data on record, and the California AG's lawsuit signals that state enforcement actions — not just federal rulemaking — will shape accountability standards for consumer health-data companies. The case arrives as HHS has been exploring whether and how to extend HIPAA-style protections to entities that handle sensitive health data outside the traditional covered-entity framework, a conversation that the FTC has also entered through its enforcement of the Health Breach Notification Rule against non-HIPAA health apps.
The breach illustrates a cost structure well documented in IBM's annual Cost of a Data Breach report, which has consistently found that healthcare-sector breaches — and breaches involving sensitive personal data more broadly — carry the highest per-record costs of any industry, driven in part by the long tail of regulatory exposure, litigation, and notification obligations. Genetic data carries particular sensitivity because, unlike a compromised password, it cannot be changed, and its exposure affects not only the individual but biological relatives who never consented to share their information.
For independent practices that refer patients to or integrate with consumer genomics platforms, the case is a reminder that the health-data ecosystem extends well beyond entities subject to a Business Associate Agreement, and that patients frequently do not distinguish between clinical and consumer health services when assessing risk.
What this means for independent practices
- Audit third-party referral relationships. Review which consumer health platforms — including genetic testing services, health apps, and DTC lab services — your practice recommends or links to in patient-facing materials. Consider whether those referrals carry reputational or liability implications if those platforms suffer a breach.
- Educate patients on the HIPAA boundary. When patients ask about consumer genomics or health apps, make clear that those services are not covered by HIPAA protections, and that the privacy terms governing those platforms are set by the company, not federal health privacy law.
- Review your own credential security controls. The attack vector here — credential stuffing — applies equally to practice management systems, patient portals, and EHRs. Enforce multi-factor authentication on all staff and patient-facing systems and prohibit password reuse.
- Assess product-design risk in any patient-data features. If your practice offers patient data-sharing features — family account access, care-team sharing, or similar — evaluate whether the design could allow one compromised account to expose records belonging to other patients.
- Monitor state-level health privacy legislation. California's action is one of several state-level moves to regulate health data outside HIPAA. Practices operating in multiple states should track whether new state consumer health data laws impose obligations on covered entities or their vendors beyond existing federal requirements.
Independent practices that treat HIPAA compliance as the ceiling of their privacy obligations face growing exposure as state regulators assert authority over health-data handling more broadly. Staying current with state consumer health data laws — several of which impose breach notification and data minimization requirements that exceed or differ from HIPAA — is increasingly part of baseline compliance work, not an optional add-on.
What would have prevented this
Multi-factor authentication enforcement. Requiring a second authentication factor on all accounts would have significantly limited the value of stolen credentials, preventing attackers from using reused passwords to access accounts even when those credentials were valid.
Rate limiting and anomaly detection on login systems. Credential-stuffing attacks are characterized by high volumes of login attempts from unusual IP ranges. Automated detection and throttling of suspicious login patterns can identify and block these attacks before mass account access occurs.
Privacy-by-design in data-sharing features. The DNA Relatives feature, by design, allowed one compromised account to expose data belonging to many other users. Applying a data minimization principle during product design — limiting what data is accessible or shareable by default — reduces the blast radius of any individual account compromise.
Timely breach detection and response procedures. Written incident response plans with defined timelines for internal escalation, forensic investigation, and regulatory notification reduce both the duration of exposure and the risk of regulatory penalties for delayed disclosure.
Data retention limits and deletion controls. Retaining sensitive genetic and health data beyond its useful purpose increases the scale of any breach. Documented retention schedules and the technical ability to delete or anonymize customer data on request reduce the volume of information available to an attacker at any given time.