California Sues 23andMe Over 7M-User Genetic Data Breach

California Sues 23andMe Over 7M-User Genetic Data Breach

The California Attorney General has filed a lawsuit against DNA testing company 23andMe, now operating as Chrome Holding Co., over its handling of a 2023 breach that exposed the genetic and ancestry data of nearly 7 million users. The suit centers on two core claims: that 23andMe failed to adequately protect some of the most sensitive personal data that exists, and that it misled customers about how serious the exposure actually was. For anyone thinking about genetic data breach privacy protection, this case is a sharp reminder that no privacy tool or consumer habit could have prevented this outcome.

What the California Lawsuit Against 23andMe Actually Alleges

The California AG's complaint focuses on 23andMe's alleged failure to implement adequate security measures for data that includes DNA profiles and health predisposition information. When the breach was first disclosed, critics noted that the company's public communications downplayed the scope of what was compromised. The lawsuit formalizes those concerns, arguing that consumers were misled about the severity of the exposure.

What makes this case legally significant is that genetic data occupies a special category under California law. Unlike a leaked email address or even a credit card number, DNA data cannot be changed. It links directly to health vulnerabilities, family relationships, and ancestry, and it does so permanently. The state is arguing that 23andMe had both a legal and ethical obligation to treat that data with far greater care than it apparently did.

Why Genetic and Health Data Is a Different Category of Risk

Most data breaches cause serious harm, but genetic data breaches carry consequences that extend well beyond the individual. Your DNA contains information about your relatives, including people who never consented to share anything with a third party. It can reveal predispositions to disease, ethnic heritage, and biological family connections, details that can be exploited by insurers, employers, or bad actors for years or decades after a breach occurs.

This is what separates genetic data from the credentials and behavioral profiles that most corporate breaches expose. There is no password reset for your genome. That reality places an enormous burden of responsibility on companies that collect and store this type of information, and it is exactly the argument California is pressing in court.

The situation echoes broader concerns about how large companies handle sensitive user information without meaningful accountability. As covered in reporting on the Texas AG's lawsuit against Netflix over secret user data collection, attorneys general across the country are increasingly willing to pursue tech and consumer companies that misuse or fail to protect the personal data they gather.

What a VPN Can and Cannot Do After a Corporate Data Breach

This is a case that deserves honest framing for privacy-conscious readers. A VPN is a valuable tool for encrypting your internet traffic, masking your IP address from websites and advertisers, and protecting your activity on public networks. Those are real and meaningful benefits.

But the 23andMe breach was not a case of someone intercepting data in transit. It was a failure inside the company's own systems, involving data that users had already submitted years earlier. A VPN running on your device at the moment of the breach would have done nothing to protect the DNA profiles sitting in 23andMe's database.

This distinction matters because consumers are sometimes led to believe that privacy tools like VPNs create a comprehensive shield around their digital lives. They do not. Once you hand data to a third party, your protection depends entirely on that company's security practices, legal obligations, and willingness to be transparent when something goes wrong. The 23andMe lawsuit suggests that at least one of those safeguards failed on multiple counts.

Practical Steps to Limit Your Exposure Beyond a VPN

Understanding the limits of any single privacy tool is the first and most important step. From there, a few concrete habits can meaningfully reduce your risk with companies that hold sensitive data.

Be selective about what you share. Genetic testing services are consumer products with real privacy tradeoffs. Before submitting a DNA sample, review the company's data retention policy, its history with law enforcement data requests, and what happens to your data if the company is acquired or goes bankrupt. 23andMe's bankruptcy proceedings have already raised separate concerns about what happens to its database.

Review and use deletion options. Many genetic testing companies offer the ability to delete your stored DNA data and account information. If you have used a service and no longer want your data retained, exercise that right. Not all companies make this easy, but it is often available.

Read breach notifications carefully. Companies are legally required to notify you of qualifying breaches, but as the California lawsuit illustrates, the framing of those notifications can understate the actual scope of harm. If you receive a breach notice, take it seriously regardless of how it is worded, and check independent reporting for a fuller picture.

Understand what consent actually covers. Signing up for a service means agreeing to that company's privacy policy, but those policies often include broad language about data sharing with third parties. Genetic data, health records, and biometric information deserve extra scrutiny before you click accept.

What This Means For You

The California AG's lawsuit against 23andMe is not just a regulatory action against one company. It is a signal that state-level enforcement of genetic data breach privacy protection is becoming more aggressive, and that the exposure of DNA and health records will increasingly attract legal consequences that a company cannot simply absorb as a cost of doing business.

For consumers, the takeaway is both empowering and sobering. You can make better decisions about which companies you trust with your most sensitive data. You can demand deletion, read the fine print, and stay informed when companies you have trusted face scrutiny. What you cannot do is rely on any single tool, including a VPN, to protect data that already lives inside a third party's systems.

To understand how this pattern plays out across other industries, the coverage of the Texas AG's Netflix data lawsuit offers a useful parallel: corporate data misuse operates at a level entirely beyond what personal privacy tools can address. Staying informed about these cases is one of the most practical things you can do.