California Sues 23andMe Over 7 Million Genetic Profiles

The lawsuit names the company now operating as Chrome Holding Co. — 23andMe rebranded following its Chapter 11 bankruptcy filing in March 2025 — and represents the largest state enforcement action over the breach to date. California is seeking civil penalties under the Genetic Information Privacy Act, the California Consumer Privacy Act, the False Advertising Law, and the Unfair Competition Law. The penalties sought are structured per violation: $1,000 per violation of GIPA and up to $7,500 per intentional CCPA violation, meaning the total exposure could reach hundreds of millions of dollars given the 6.9 million affected profiles.

Key Takeaways

• A 2023 credential stuffing attack on 23andMe exposed 6.9 million genetic profiles, including ancestry, health predispositions, DNA matches, and family history — data that cannot be changed or revoked.
• Attackers used credentials stolen from another genealogy platform that 23andMe had encouraged users to join, exploiting a coding error in the "DNA Relatives" feature to cascade from targeted accounts to millions of others.
• The complaint alleges 23andMe ignored repeated warnings about ongoing account targeting, negotiated with and paid the attacker, and simultaneously minimized the breach in public disclosures.
• 23andMe filed for Chapter 11 bankruptcy in March 2025 and has since rebranded as Chrome Holding Co.; California's lawsuit is the largest regulatory action over the breach.
• California is seeking civil penalties under four laws, including GIPA ($1,000/violation) and CCPA (up to $7,500/intentional violation), with total exposure potentially reaching hundreds of millions of dollars.

How the 2023 Breach Happened

The attack was a credential stuffing campaign — automated attempts to log into accounts using username and password combinations stolen from unrelated breaches elsewhere on the internet. The specific credential source was MyHeritage, a competing genealogy service that 23andMe had actively encouraged its users to link to their accounts. When users reused the same credentials across both platforms, that shared password became an attack vector. 23andMe had not implemented mandatory multi-factor authentication at the time.

The scale of the breach was amplified by a coding error in 23andMe's "DNA Relatives" feature, which allows users to share genetic data with distant relatives. The flaw meant that accessing one account through credential stuffing could cascade access to the genetic profiles of millions of other users who had opted into DNA Relatives matching — including people who had not had their individual credentials compromised. From an initial set of targeted accounts, attackers accessed family connections, health predispositions, ancestry breakdowns, and raw genetic markers for approximately 6.9 million people.

The complaint alleges that 23andMe received repeated warnings that customer accounts were being accessed without authorization and failed to act. The company subsequently negotiated with and reportedly paid the threat actor, while its public disclosures characterized the breach in ways that the California AG argues were misleading about both the scale and the company's prior knowledge.

Why Genetic Data Is Different

A password that is compromised can be changed. A credit card number can be cancelled. Genetic data cannot be altered, revoked, or replaced. The 6.9 million profiles exposed in the 23andMe breach contain information that is permanent and familial: health predispositions that identify disease risks, ethnic and ancestry breakdowns, and DNA matches that reveal relatives who may not have submitted their own DNA to any database. One person's breach in a DNA Relatives network creates downstream exposure for biological relatives who never signed up.

California's Genetic Information Privacy Act was designed precisely for this category of immutable, sensitive data. It imposes obligations on companies that collect genetic information, including requirements to obtain separate, specific consent for different uses of that data and to implement reasonable security measures commensurate with the sensitivity of what is being protected. The AG's complaint argues that 23andMe met neither standard — that its security was inadequate for the sensitivity of the data it held, and that its disclosures to customers obscured what had actually been accessed and by whom.

What Happened to 23andMe After the Breach

23andMe settled a class action over the breach for between $30 million and $50 million, finalized in January 2026. That settlement compensated users but did not resolve state enforcement actions. In March 2025, the company filed for Chapter 11 bankruptcy protection. The bankruptcy introduced a new legal question: could the company sell its genetic database to a buyer as part of the bankruptcy estate? Consumer advocates and privacy researchers raised alarms that the database — containing 6.9 million people's genetic profiles — could be acquired by an insurance company, pharmaceutical firm, law enforcement contractor, or data broker. A separate lawsuit challenging the sale remains pending in U.S. Bankruptcy Court for the Eastern District of Missouri.

The company has since rebranded as Chrome Holding Co. California's lawsuit names Chrome Holding Co. as the defendant, reflecting the post bankruptcy corporate identity. Attorney General Bonta said the penalties sought would flow to victims under GIPA's statute — the per violation amounts stack across the affected California population of 855,541 residents, meaning the GIPA exposure alone could exceed $855 million before CCPA penalties are calculated.

What This Means for Privacy Enforcement in 2026

The 23andMe case is one of the larger state level enforcement actions in recent memory, and it coincides with a broader acceleration in U.S. privacy enforcement. California has collected over $9 million in CCPA fines since 2025. Indiana, Kentucky, and Rhode Island brought new state privacy laws into effect in January 2026. The Federal Trade Commission has been active on data security cases involving sensitive health and biometric data. The regulatory environment that was largely theoretical for most of the CCPA's first years is now producing meaningful enforcement actions.

For compliance officers and privacy professionals, the 23andMe case provides a clear articulation of what California expects: reasonable security commensurate with data sensitivity, honest and timely breach disclosure, and no negotiating with attackers while simultaneously downplaying the breach to users. Those obligations apply to any organization collecting sensitive personal information — not just genetic testing companies. The scale of the penalty exposure ($1,000 per violation under GIPA, $7,500 per intentional CCPA violation across millions of records) illustrates how quickly aggregate fines escalate when the affected population is large and the data category is specially protected.

For ordinary consumers, the more immediate lesson is that email addresses are the thread connecting most data breaches to downstream harms. The 23andMe breach began with credential stuffing using email address and password combinations. Email addresses were among the data exposed. Those exposed email addresses become targeting intelligence for phishing, spam, and follow on social engineering. For a breakdown of how breached email addresses are weaponized, see our guide on AI now writes 82% of phishing emails hitting inboxes.

Sources: HIPAA Journal: California AG files lawsuit over 23andMe data breach; BleepingComputer: California AG sues 23andMe over 2023 breach; MedTech Dive: California attorney general sues over 23andMe data breach.