The genetics testing company 23andMe was sued on Thursday by California Attorney General Rob Bonta, over a 2023 data breach that exposed genetic and other personal information of an estimated 6.9 million U.S. customers.
In a complaint filed in San Francisco Superior Court, California accused 23andMe of ignoring numerous warnings that its systems had been compromised, and failing to take “obvious steps” to safeguard customers’ personal information and data related to their health, genetic predispositions, biological relatives, ancestry and ethnicity.
Neither 23andMe nor its lawyers immediately responded to requests for comment. The lawsuit was filed against Chrome Holding Co, the legal name for 23andMe.
Bonta sued four months after a federal bankruptcy judge in St. Louis granted final approval for 23andMe to set up a US$30 million to US$50 million fund to resolve most U.S. claims from the data breach, which began in April 2023 and lasted about five months.
That settlement also resolved accusations that 23andMe did not tell customers with Chinese and Ashkenazi Jewish ancestry that the hacker appeared to have targeted them, and offered their information for sale on the dark web.
The company was founded in 2006 and went public in 2021.
It filed for Chapter 11 protection from creditors in March 2025, citing the data breach and related litigation, as well as increased competition and falling demand for genetics testing products.
The company emerged from bankruptcy last July when TTAM Research Institute, a nonprofit controlled by 23andMe co-founder Anne Wojcicki, bought 23andMe’s assets for $305 million.
Bonta opposed that sale on privacy grounds, saying California law gave consumers a right to consent to any transfer of their “most sensitive personal data.”
Jonathan Stempel, Reuters
