23andMe accused of failing to protect user data in new lawsuit

**Lawsuit Filed Against 23andMe Alleging Failure to Safeguard Customer Genetic Data Following 2023 Breach** A proposed class-action complaint filed in the U.S. District Court for the Northern District of California accuses 23andMe Inc. of failing to implement reasonable security measures to protect user data during a breach first disclosed in October 2023. The suit, brought on behalf of affected customers, claims the company’s practices left personal genetic and ancestry information exposed to unauthorized access. The complaint centers on the October 2023 incident in which unauthorized actors gained entry to 23andMe accounts through credential-stuffing techniques. Court documents state that approximately 6.9 million users had their profile information accessed, including names, birth dates, ancestry reports, and, in some cases, limited health-related survey responses. **The Incident** According to the complaint, the breach occurred after attackers used previously compromised passwords to log into 23andMe accounts. Once inside, the actors downloaded raw genetic data files and family-tree information tied to those accounts. The complaint alleges that 23andMe did not require multi-factor authentication on all accounts at the time and had not implemented additional controls to detect repeated failed login attempts from unfamiliar locations. Plaintiffs’ counsel cited internal company records showing that customer support tickets regarding suspicious login activity had increased in the months prior to public disclosure. The complaint references statements made by 23andMe in its December 2023 SEC filing, in which the company confirmed that “a threat actor had obtained access to certain customer profile information.” **Background on 23andMe and Prior Security Practices** 23andMe, founded in 2006 by Anne Wojcicki, provides direct-to-consumer genetic testing services. Users submit saliva samples and receive reports on ancestry composition and certain health predispositions. The company maintains one of the largest private databases of human genetic information, with more than 14 million customers worldwide as of 2023. Prior to the 2023 incident, 23andMe had experienced smaller security events. In 2018 the company disclosed that a third-party vendor had improperly accessed limited customer names and email addresses. Industry observers, including reports from the cybersecurity firm Mandiant, have noted that genetic-testing firms face elevated risks because account credentials often contain sensitive identifiers that cannot be changed. Federal and state regulators have issued guidance on protecting genetic data. The Federal Trade Commission’s 2023 Health Breach Notification Rule requires notification when personal health information is disclosed without authorization. California’s Genetic Information Privacy Act, effective since 2022, imposes additional consent and security obligations on companies handling genetic information. **Company Response and Subsequent Actions** 23andMe stated in its October 2023 blog post and subsequent SEC disclosures that it had notified affected users, reset passwords, and offered two years of credit monitoring and identity-theft protection. CEO Anne Wojcicki wrote in a December 2023 company update that “we take the security of our customers’ data extremely seriously and are investing in additional protective measures.” The complaint alleges these steps were insufficient and came after the data had already been exfiltrated and, in some instances, offered for sale on criminal forums. Plaintiffs seek damages under California’s Unfair Competition Law, the California Consumer Privacy Act, and common-law negligence theories. No trial date has been set; the company has not yet filed its formal response. **Regulatory and Industry Context** The 23andMe breach occurred amid heightened scrutiny of consumer genomics firms. In 2023 the Department of Health and Human Services proposed updates to the HIPAA Security Rule that would extend certain protections to genetic data held by non-covered entities. Several state attorneys general have opened inquiries into the incident, though no enforcement actions have been announced. Other companies in the sector, including Ancestry and MyHeritage, have implemented mandatory multi-factor authentication and data-encryption standards following their own past incidents. Trade associations such as the Personalized Medicine Coalition have published voluntary best-practice guidelines emphasizing encryption of raw genetic files and regular penetration testing. **Implications and Next Steps** The litigation will likely examine whether 23andMe’s pre-breach security controls met the standard of care required under applicable state and federal statutes. Discovery is expected to include internal audit reports and communications with law-enforcement agencies regarding the credential-stuffing campaign. Further updates will be provided as the investigation and court proceedings progress.

This is Jessica Ali for Global1 News, reporting from Atlanta. 🔥