California Attorney General Sues 23andMe Successor Over 2023 Genetic Data Breach

On May 28, 2026, California Attorney General Rob Bonta filed a civil enforcement action against Chrome Holding Co. — the company formerly known as 23andMe — for its handling of a 2023 data breach that compromised the genetic information of nearly 7 million users [1]. The lawsuit lands more than three years after hackers first penetrated 23andMe's systems and nearly a year after the company sold its operating assets in bankruptcy court, raising immediate questions about who, if anyone, will actually pay for what Bonta called a failure to "meet its obligation under California law to keep that information safe" [1].

What the Breach Exposed

Between April and September 2023, a threat actor carried out a credential stuffing attack — a technique where stolen usernames and passwords from other data breaches are systematically tested against a target's login system — against 23andMe's platform [2]. The attacker directly compromised approximately 14,000 accounts whose owners had reused passwords from other breached services and had not enabled multi-factor authentication [3].

But the damage extended far beyond those 14,000 accounts. By exploiting a coding vulnerability in 23andMe's "DNA Relatives" feature, which allows users to find and connect with genetic matches, the attacker scraped data from approximately 6.9 million users — nearly half the company's entire customer base [2][3].

The categories of data compromised included raw DNA sequences, health predisposition and genetic risk factor reports, ancestry and ethnicity breakdowns, biological relative identifications, percentage of DNA shared with potential matches, family tree information, and personal identifying details such as names, birth dates, and self-reported locations [1][4]. The UK Information Commissioner's Office, which conducted a joint investigation with Canada's Privacy Commissioner, confirmed that the stolen data was specifically sorted and offered for sale in batches targeting users of Ashkenazi Jewish and Chinese descent [4].

Five Months Undetected

The complaint's most damaging allegation may be its timeline. The credential stuffing attack began in April 2023, but 23andMe did not launch a full investigation until October 2023 — a span of roughly five months during which the company's systems were actively compromised [1][5].

The California AG's office alleges the company missed several warning signs. In July 2023, 23andMe's own systems flagged a spike in unusual login activity [5]. In August 2023, a claim appeared on an online forum alleging that data from more than 10 million 23andMe users had been stolen; the company reportedly dismissed it as a hoax [4]. A second wave of credential stuffing attacks followed in September 2023 [4]. Only in October, when a 23andMe employee discovered that user data was being advertised for sale on Reddit, did the company confirm a breach had occurred [4][5].

Even after confirming the breach, the company took four days to disable active user sessions and reset passwords, and approximately one month to disable the self-service raw DNA download feature and implement mandatory multi-factor authentication [3].

California's breach notification statute requires companies to notify affected residents "without unreasonable delay." The complaint alleges 23andMe fell short of this standard, and further accuses the company of actively misleading consumers — continuing to assure customers it hadn't experienced a security incident while simultaneously negotiating with, and paying a ransom to, the hacker [1].

The Statutory Charges

The lawsuit alleges violations of five California statutes [1][6]:

• California Genetic Information Privacy Act (GIPA) — which carries penalties of $1,000 per violation [6]
• California Consumer Privacy Act (CCPA) — with penalties of up to $7,500 per violation [6]
• Reasonable Data Security Law
• False Advertising Law
• Unfair Competition Law

With 855,541 affected California residents, even the lower GIPA penalty alone could produce a theoretical liability exceeding $855 million [1][6]. AG Bonta stated the penalties "could ultimately cost the company millions" — a figure that, depending on how violations are counted, could approach or exceed the $305 million that Anne Wojcicki's nonprofit paid for 23andMe's operating assets in bankruptcy [6][7].

The Corporate Shell Game

The identity of the defendant is central to understanding the lawsuit's practical implications. When 23andMe filed for Chapter 11 bankruptcy in March 2025, CEO Anne Wojcicki resigned [7]. She then founded TTAM Research Institute, a nonprofit public benefit corporation, which outbid Regeneron Pharmaceuticals in a contested bankruptcy auction and acquired substantially all of 23andMe's assets for $305 million in July 2025 [7][8].

After the sale closed, the entity that remained — the bankruptcy estate — rebranded from 23andMe Holding Co. to Chrome Holding Co. [9]. It is this shell entity, stripped of its operating assets, that Bonta has named as the defendant [1].

This creates an enforcement puzzle. Chrome Holding Co. retained the liabilities that weren't assumed by TTAM in the Section 363 bankruptcy sale, but it also retained little in the way of assets [9]. The lawsuit does not name TTAM Research Institute, which now operates the 23andMe brand and holds the customer genetic data [8]. Whether California can collect meaningful penalties from a bankrupt shell company — and whether the lawsuit is partly designed to pressure TTAM into a settlement — remains an open question that neither the AG's office nor Chrome Holding addressed publicly. Chrome Holding "didn't immediately respond to a request for comment" [6].

Why DNA Is Different

The 23andMe breach sits within a broader pattern of massive health and personal data breaches, but genetic information carries a distinction that sets it apart from virtually every other category of compromised data.

Source: HHS Breach Portal / Public Reports

Data as of May 29, 2026CSV

A stolen credit card number can be canceled. A compromised password can be changed. Even a leaked Social Security number can, with effort, be flagged for fraud monitoring. Genetic data cannot be revoked, reset, or changed — it is immutable for the lifetime of the affected individual and, by definition, partially shared with every biological relative [10]. The Federal Trade Commission acknowledged this in a January 2024 policy statement, noting that "the sensitivity of the data is high, so too is the risk of harm" because genetic information reveals details about "health, characteristics, and ancestry" that extend to family members who never consented to testing [10].

The potential for harm is not hypothetical. Genetic data can reveal disease predispositions, paternity, ethnic heritage, and biological relationships — information that could be used for discrimination in insurance, employment outside the protections of existing law, or targeted harassment, as the ethnic sorting of the stolen 23andMe data demonstrated [4][10].

The Federal Gap

For the roughly 6.4 million affected users who live in the United States but outside California, legal protections are thin [11]. The primary federal statute, the Genetic Information Nondiscrimination Act (GINA), prohibits the use of genetic information in health insurance underwriting and employment decisions for companies with 15 or more employees [12]. But GINA does not cover life insurance, disability insurance, or long-term care insurance. It does not regulate direct-to-consumer genetic testing companies. And it contains no private right of action or data security requirements [12].

No comprehensive federal genetic privacy law exists [10]. The Health Insurance Portability and Accountability Act (HIPAA) applies to covered health care entities — not to consumer genomics companies like 23andMe [10]. The $50 million class-action settlement approved in January 2026 covered U.S. residents broadly, with affected individuals receiving approximately $165 if their health information was compromised [11]. But the settlement's injunctive terms — including heightened security requirements — bind the successor entity, raising the question of whether TTAM Research Institute, now operating 23andMe under a nonprofit structure, will be held to those standards going forward.

Only a handful of states — Alaska, Illinois, and Oregon among them — have genetic privacy statutes that provide for statutory damages comparable to California's GIPA [11]. For residents of the remaining states, the primary recourse was the class-action settlement.

International Enforcement

Regulators outside the United States have moved independently. The UK's Information Commissioner's Office fined 23andMe £2.31 million in June 2025 following a joint investigation with Canada's Privacy Commissioner [4]. The ICO found that 23andMe had failed to implement appropriate authentication measures, lacked effective monitoring systems, and had inadequately responded to early warnings of the attack [4]. The fine — roughly $3.1 million — covered 155,592 affected UK residents [4].

Canada's Privacy Commissioner issued parallel findings and recommendations but, under Canadian law, lacked the authority to impose a monetary penalty [13].

The Successor Liability Question

Legal commentators have flagged a tension at the heart of California's enforcement theory. In a standard Section 363 bankruptcy sale, the buyer acquires assets "free and clear" of most pre-existing liabilities — that is the primary incentive for buyers to participate in bankruptcy auctions [14]. If state attorneys general can effectively pursue successor entities for pre-sale conduct, it could chill the market for distressed tech acquisitions, potentially leaving user data in legal limbo when no buyer is willing to assume the risk.

Twenty-eight state attorneys general intervened in the 23andMe bankruptcy proceedings to argue that genetic data should not be treated as a freely transferable asset, and that consumers must provide affirmative consent before their biological data changes hands [14]. Some legal analysts have pushed back on this position. The law firm Loeb & Loeb noted in a July 2025 analysis that "the conclusion that consumers must provide affirmative consent to the transfer is out of line with the reality of business practices and the requirements of the law," and argued that treating bankruptcy transfers as inherently more risky than ordinary mergers and acquisitions lacks legal grounding [14].

Harvard's Petrie-Flom Center for Health Law Policy published a two-part analysis calling for Congress to address the gap, noting that existing frameworks were not designed for a scenario where a company holding millions of people's immutable biological data becomes insolvent [15].

The question of whether California's suit represents necessary accountability or regulatory overreach may ultimately depend on whether Bonta's office can demonstrate that Chrome Holding retains sufficient assets — or sufficient legal connection to TTAM — to make the penalties meaningful. If the suit results in a nominal judgment against an empty shell, critics will argue it was theater. If it pressures TTAM into accepting enforceable data security obligations beyond those in the class-action settlement, privacy advocates will claim vindication.

What Comes Next

The lawsuit was filed in San Francisco Superior Court [1]. Chrome Holding Co. has not yet responded publicly. TTAM Research Institute, which continues to operate 23andMe as a nonprofit, is not named in the complaint but holds the customer data and the operating business [8].

For the 855,541 Californians whose genetic data was exposed — and the millions more across the country and world — the core problem remains: their DNA is permanently compromised, no legal remedy can undo that exposure, and the corporate entity responsible for the failure no longer exists in any meaningful operational sense. The lawsuit tests whether California's privacy enforcement apparatus can reach across a bankruptcy sale to impose consequences, or whether the corporate restructuring has effectively placed accountability beyond the law's grasp.