Overview
New York Attorney General Letitia James, leading a bipartisan coalition of attorneys general from 42 other states, announced an $18 million settlement with genetic testing company 23andMe over the company's failure to adequately protect customers' sensitive genetic and health information. The action follows a 2023 credential-stuffing attack that exposed the data of approximately 6.9 million 23andMe users — roughly half the company's customer base at the time.
The breach allowed attackers to access ancestry data, health predisposition reports, and ethnicity estimates by exploiting reused passwords from other compromised sites, then expanding access through the platform's opt-in DNA Relatives feature. 23andMe disclosed the incident in October 2023 but initially characterized the scope as narrow, a framing regulators later disputed as the full scale became clear.
The settlement represents one of the largest multi-state enforcement actions specifically targeting a consumer genetic data company. A separate lawsuit filed by California's Attorney General under that state's privacy laws remains pending, signaling that the legal exposure for 23andMe is not fully resolved.
Key developments
Scale of the coalition signals coordinated regulatory attention. Forty-three attorneys general — spanning both parties and nearly every region of the country — joined the action, a formation that reflects broad consensus among state regulators that genetic data warrants heightened enforcement regardless of HIPAA coverage status.
The DNA Relatives feature amplified breach scope materially. Attackers who compromised individual accounts through credential stuffing were able to access data on millions of additional users who had opted into the platform's family-matching feature. This design characteristic turned a credential attack on one account into exposure for that user's genetic relatives, many of whom took no action that contributed to the breach.
23andMe's corporate deterioration ran parallel to enforcement. The company filed for Chapter 11 bankruptcy protection in March 2025 and completed a sale of its assets to a pharmaceutical buyer. Regulators and privacy advocates raised concerns about what happens to genetic data held by a company in financial distress and whether the sale terms adequately protected customer data rights.
California's separate action keeps legal pressure active. The California Attorney General's lawsuit, filed under state privacy law, remains active and could produce additional financial penalties or injunctive relief beyond what the multistate settlement covers.
Industry impact
The 23andMe enforcement action extends a pattern of state attorneys general filling regulatory gaps where federal law — specifically HIPAA — does not reach. Because 23andMe operates as a direct-to-consumer service rather than a covered entity or business associate, OCR had no jurisdiction over the breach. State consumer protection and privacy statutes have become the primary enforcement mechanism for this category of company.
According to IBM's Cost of a Data Breach Report, the healthcare industry has recorded the highest average breach cost of any sector for more than a decade, a figure that reflects both the sensitivity of health-adjacent data and the long remediation timelines associated with it. Genetic data carries compounding risk: unlike a compromised password or credit card number, a person's genetic profile cannot be changed, and the information it contains extends to biological relatives who never consented to its collection.
The 23andMe case also illustrates the risk that consumer health data companies pose to the broader health-data ecosystem. Patients and practice administrators routinely treat DTC genetic platforms, reproductive health apps, and similar services as part of their personal health infrastructure — sharing results with clinicians, linking accounts to health systems, or using findings to guide clinical decisions. When those platforms fail, the consequences intersect with clinical care even when no HIPAA-covered entity is directly involved.
## What this means for independent practices
- Counsel patients about data-sharing risks outside clinical channels. Patients who share DTC genetic results with their providers may not understand that the originating platform operates outside HIPAA protections; practices can note this distinction in patient communications without taking on liability for the platform's conduct.
- Review any third-party integrations that pull consumer health data into the practice's systems. If a practice's EHR or patient portal allows connection to consumer health apps, confirm what data flows across those integrations and whether the third party has appropriate security controls and contractual obligations in place.
- Audit business associate agreements for vendors handling genomic or sensitive diagnostic data. Any vendor that processes genetic or diagnostic information on behalf of the practice must have a signed BAA; the 23andMe matter shows regulators will pursue accountability wherever they can find jurisdiction. - Monitor state-level privacy law developments specific to genetic and biometric data. Several states have enacted or are advancing laws that impose stricter handling requirements for genetic data than HIPAA does; compliance with HIPAA alone will not satisfy these state obligations.
- Treat credential hygiene as an infrastructure-level concern, not a user-education item. The initial breach vector — credential stuffing against accounts with reused passwords — is a systemic risk that practice-facing portals and patient communication platforms share; enforcing strong authentication requirements closes this class of attack at the system level.
The 23andMe settlement should prompt practice administrators to map all data-sharing touchpoints — not just those clearly governed by HIPAA — and to document the rationale for accepting or restricting each one. As state enforcement expands and genetic data becomes more clinically integrated, the boundary between HIPAA-regulated and unregulated health data will carry increasing operational weight.
What would have prevented this
Multi-factor authentication (MFA) enforced at login: Requiring a second authentication factor for account access makes credential-stuffing attacks significantly less effective, because possession of a valid username and password alone is insufficient to complete login.
Rate limiting and anomaly detection on authentication endpoints: Automated controls that flag or block repeated failed login attempts from unfamiliar IP addresses or unusual geographic locations can interrupt credential-stuffing campaigns before large numbers of accounts are compromised.
Privacy-by-design review of social and sharing features: The DNA Relatives feature expanded breach scope by design; a structured privacy impact assessment conducted before launch would have identified the amplification risk and prompted scope-limiting controls, such as granular consent gates or access restrictions on shared data.
Data minimization and retention limits: Holding only the data necessary for the service's stated purpose — and deleting or de-identifying data no longer needed — reduces the volume of sensitive information available to an attacker who gains access.
Incident response planning that accounts for feature-level blast radius: Response plans built around individual account compromise can underestimate actual exposure when platform features aggregate data across accounts; tabletop exercises should model scenarios where a single compromised account unlocks access to associated users' data.