California’s lawsuit against 23andMe, filed on 28 May 2026, shows what happens when a company treats sensitive data security as a product or IT problem instead of a board-level governance problem. In a press release and a filed complaint, California Attorney General Rob Bonta alleges that 23andMe failed to protect genetic and health-related data, ignored warning signs, and then misled consumers about what had happened. For boards, the uncomfortable lesson is simple: when your business holds DNA data, ordinary security failures can turn into privacy, consumer-protection, and reputation exposure all at once.
What California says happened
California says the 2023 breach affected nearly 7 million people across the United States, including 855,541 Californians. According to the state’s 28 May 2026 announcement, the attacker accessed around 14,000 customer accounts over a period of roughly five months, then used that foothold and a flaw in the DNA Relatives feature to pull far more data from the wider customer base. The information at issue was not limited to email addresses or log-in credentials. California says it included ancestry reports, DNA-match information, family relationship data, and health-related genetic information.
The complaint says the attack relied on credential stuffing, a well-known method that reuses username and password pairs taken from earlier breaches elsewhere. California alleges that 23andMe knew users might reuse credentials, knew about the earlier MyHeritage breach, and still did not put adequate controls in place to stop or detect the attack. The state’s case also points to a coding flaw in DNA Relatives that allegedly let the attacker expand a limited account compromise into a much larger data exposure.
Why this becomes a board issue so quickly
Genetic data is not ordinary customer data
Boards often hear “personal data” and think in broad categories. This case is narrower and more serious. California’s press release says 23andMe held information about customers’ health predispositions, biological relatives, ancestry, and ethnicity. In March 2025, Bonta issued a separate consumer alert after 23andMe had publicly reported financial distress and substantial doubt about its ability to continue as a going concern. The alert reminded Californians that they could direct deletion of genetic data, request destruction of stored samples, and revoke research consent. When a regulator tells consumers how to delete genetic data during a company’s financial distress, the issue has already moved beyond security operations.
Security, privacy, and consumer law stack together
The lawsuit is not framed as a single-issue cyber case. California alleges breaches of the Genetic Information Privacy Act, California’s reasonable security obligations, false advertising law, unfair competition law, and the CCPA. That matters because it changes the board conversation. A breach can now trigger regulator scrutiny over technical controls, public statements, customer notices, and the gap between marketing claims and system reality. Our article on California CCPA/CPRA basics covers the broader framework. The 23andMe suit shows how quickly that framework becomes real when sensitive data is involved.
Misleading breach communications make the exposure worse
California’s complaint does not stop at the pre-breach controls. It also alleges that 23andMe downplayed the seriousness of the breach, told consumers there had been no incident inside its own systems, and omitted key facts while ransom negotiations were under way. Boards should pay attention to that part. Once a breach response starts, legal risk is no longer about what failed technically. It is also about what the company says publicly, what it tells customers privately, and whether the board can evidence that those statements were accurate at the time.
Bankruptcy turns privacy promises into transaction risk
The sale-risk question is not theoretical. In a 31 March 2025 letter to the U.S. Trustee, FTC Chairman Andrew Ferguson said 23andMe user data might be sold as part of bankruptcy proceedings and that any sale or transfer of personal information and biological samples should remain subject to 23andMe’s privacy and data-security promises. For boards, that is the governance point: privacy commitments made while a company is growing can still matter when the company is distressed, sold, or restructured.
What boards should ask management now
- Which datasets would create the worst downstream harm if exposed, not merely the worst regulatory filing burden?
- Where are we still relying on ordinary password controls for accounts that expose high-sensitivity data?
- Do our product teams know which customer features can expand a narrow account compromise into wider data access?
- Who signs off public breach statements, and what evidence do they review before those statements go out?
- If the company were sold, restructured, or distressed tomorrow, could we explain exactly what rights customers have over deletion, retention, and transfer of their data?
The practical lesson for managers
The practical lesson is to treat high-sensitivity datasets as governance assets with technical, legal, communications, and transaction controls tied together. A breach involving genetic data can become a regulator case, a consumer-trust crisis, and a sale-risk problem at the same time. If management cannot show how those strands meet, the board does not yet have control of the risk.
For teams building privacy awareness beyond the legal function, the simplest starting point is training managers on how security incidents, consumer rights, and disclosure duties interact in practice. The Measured Collective courses page is the clearest route into that wider training base.
Sources
- California Attorney General press release on the 23andMe lawsuit, 28 May 2026
- People of the State of California v. Chrome Holding Co. et al., filed complaint
- California Attorney General consumer alert for 23andMe customers, 21 March 2025
- FTC Chairman Andrew Ferguson letter on 23andMe bankruptcy impact, 31 March 2025
