Why are the 27 states suing 23andMe?

They are trying to block the bankrupt company from selling customer genetic data, and they allege 23andMe failed to protect data and misled consumers about the severity of the 2023 breach.

How many people were affected by the 2023 breach?

According to the lawsuit, the breach exposed sensitive health information belonging to nearly 7 million people.

Can 23andMe’s genetic data be sold to a new owner?

The lawsuit argues that in bankruptcy, the data could be transferred to a buyer who isn't bound by original consent terms. Some states, like Florida, prohibit such sales without explicit consent, but not all states have those protections.

Why can’t tools like VPNs keep genetic data private?

VPNs and encryption protect data in transit, but genetic data is collected from a physical saliva sample and stored on company servers. From that point, no network-level tool applies, and privacy depends solely on the company’s security and legal safeguards.

How did 23andMe allegedly mislead customers after the breach?

The coalition claims 23andMe downplayed the incident’s scope, keeping customers from realizing how serious it was and possibly preventing them from taking steps to protect themselves or requesting data deletion.

27 States Sue 23andMe to Block Genetic Data Sale After 2023 Breach

Twenty-seven states and the District of Columbia have filed a lawsuit against 23andMe to prevent the bankrupt DNA testing company from selling the genetic data of its customers. The lawsuit, filed in bankruptcy court, centers on a 2023 breach that exposed sensitive health information belonging to nearly 7 million people, and argues that 23andMe misled consumers about the severity of that incident. At stake is the genetic data of an estimated 15 million customers who never consented to have their most intimate biological information auctioned off to the highest bidder.

This case is not just a story about corporate negligence. It raises a harder, more uncomfortable question for privacy-conscious consumers: what happens when the privacy risk is not a password, an IP address, or an email, but your actual DNA?

What the Lawsuit Actually Alleges

The coalition of attorneys general argues on two main fronts. First, that 23andMe failed to adequately protect user data before and during the 2023 breach, leaving millions of customers exposed to harms they had no way to anticipate. Second, that the company downplayed the incident's scope, misleading customers who might otherwise have taken steps to protect themselves or request deletion of their data.

Now that 23andMe has filed for bankruptcy, the concern is that genetic data collected under one set of promises could be transferred to a new owner operating under entirely different policies. Customers who originally consented to share their DNA for ancestry research or health insights may find that data absorbed by an unknown third party with no obligation to honor the original terms of service.

Several states already have laws specifically addressing this scenario. Florida, for example, prohibits the sale of genetic data without express customer consent, backed by criminal penalties and fines. But not every state has such protections, which is precisely why a coordinated multi-state lawsuit became necessary.

Why Your Privacy Tools Cannot Protect Genetic Data

This is the part of the story that most digital privacy coverage skips over. VPNs, encrypted messaging apps, private browsers, and similar tools are effective at protecting one category of data: information you transmit or generate digitally. They can shield your IP address, your browsing history, and your communications from interception.

But they cannot do anything about data you have already voluntarily handed over in physical form. When you mail a saliva sample to a DNA testing company, no amount of network-level privacy protection applies. The data is collected, processed, and stored on the company's servers. From that point forward, your privacy depends entirely on the company's security practices, its contractual obligations, and the legal protections available in your jurisdiction.

This distinction matters because it changes the nature of the risk. With most digital privacy threats, users have ongoing agency. You can stop using a service, clear your data, or switch to a more private alternative. With genetic data, the information is immutable. Your DNA cannot be changed, reset, or revoked. Once it is breached or sold, the exposure is permanent.

What This Means For You

If you are a 23andMe customer, the lawsuit means there is currently an active legal effort to prevent your data from being sold without your consent. However, legal proceedings take time, and outcomes are never guaranteed in bankruptcy court, where creditors' interests often compete directly with consumer protections.

There are concrete steps worth taking now. First, check whether you have already submitted a data deletion request to 23andMe. The company has historically offered this option, and while the bankruptcy process complicates things, submitting a formal deletion request creates a documented record of your intent. Second, review any consent agreements you signed when creating your account, as these documents may outline your rights during a corporate transfer.

Beyond 23andMe specifically, this case is a useful prompt to think more broadly about genetic privacy. Any service that collects biometric or biological data, whether for health, fitness, ancestry, or research purposes, holds information that sits outside the scope of conventional privacy tools. The legal framework protecting that data varies significantly by state and is still catching up to the technology.

For those interested in how broader privacy legislation is evolving in the United States, the Lofgren-Tillis Bill offers a useful window into how lawmakers are thinking about digital data rights and the limits of existing protections.

The Bigger Picture on Data Broker Risk

The 23andMe situation is also a reminder of how data broker ecosystems operate. Even data collected for a benign purpose can end up in the hands of parties whose intentions and practices are entirely unknown to the original consumer. Bankruptcy sales are one pathway for this to happen. Corporate acquisitions, data licensing agreements, and security breaches are others.

Genetic data is among the most sensitive categories of personal information that exists. It can reveal predispositions to illness, familial relationships, and ethnic heritage. In the wrong hands, it could be used by insurers, employers, or law enforcement in ways consumers never anticipated or agreed to.

The multistate lawsuit against 23andMe is a significant moment for genetic privacy rights in the United States. Whether it succeeds in blocking the sale, it has already demonstrated that state attorneys general are willing to coordinate aggressively on consumer data issues, and that genetic data is increasingly being treated as a category that deserves heightened legal protection.

If you have genetic data stored with any testing company, now is the time to review your account settings, understand your deletion rights, and think carefully before submitting biological data to any service in the future. No VPN can protect your DNA, but informed decisions before you share data are the most powerful privacy tool available.