California Attorney General Rob Bonta has filed a civil lawsuit against Chrome Holding Co, the corporate name for genetics testing firm 23andMe, accusing the company of failing to adequately address a major data breach that began in April 2023 and persisted for about five months.
The complaint, lodged in San Francisco Superior Court, alleges that 23andMe overlooked numerous warnings that its systems had been compromised and understated the severity of the incident. According to the filing, the breach exposed sensitive personal details - including customers' health information, genetic predispositions, biological relatives, ancestry, and ethnicity - for an estimated 6.9 million customers across the United States. Bonta said approximately 856,000 of those affected were California residents.
On a conference call with reporters, Bonta sharply criticized the company’s response, stating: "This data breach, and the company’s handling of it, was entirely unacceptable." The lawsuit seeks civil penalties that the attorney general described as potentially totaling "multiple millions" of dollars for alleged violations of California’s Genetic Information Privacy Act and state consumer protection statutes.
The legal action arrives roughly 14 months after the company filed for bankruptcy in St. Louis. Bonta acknowledged that any effort to collect a monetary judgment would need to proceed through the bankruptcy process.
Federal court activity tied to the breach has already produced a separate resolution for many customers. The federal judge overseeing 23andMe’s bankruptcy approved the creation of a $30 million to $50 million fund to resolve most U.S. customer claims stemming from the breach. That settlement also addressed allegations that 23andMe failed to notify certain customers - specifically those of Chinese and Ashkenazi Jewish ancestry - that a hacker appeared to target them and subsequently offered their information for sale on the dark web.
23andMe, headquartered in Palo Alto, California, was founded in 2006 and became a public company in 2021. In March 2025 the company filed for Chapter 11 protection, citing the data breach and related litigation, heightened competition, and waning consumer demand for genetic testing products as factors behind the filing.
Last July, TTAM Research Institute - a nonprofit controlled by 23andMe co-founder Anne Wojcicki - acquired the company’s assets in a $305 million purchase. Bonta opposed that sale on privacy grounds, arguing that California law affords consumers the right to consent to transfers of their "most sensitive personal data." He said the legal challenge to the sale remains pending.
Context and implications
- The lawsuit centers on alleged violations of genetic privacy protections and consumer law.
- Monetary relief sought may be constrained by ongoing bankruptcy proceedings and prior settlements.
- The case highlights tensions between asset transfers in bankruptcy and consumer privacy rights when sensitive personal data is involved.
Neither 23andMe nor its legal representatives immediately responded to requests for comment on the lawsuit.