California Sues 23andMe's Successor Over the 2023 Genetic Data Breach

California Attorney General Rob Bonta sued Chrome Holding Co., the successor to bankrupt 23andMe, on May 28, 2026, alleging it failed to protect the genetic and personal data of nearly 7 million people in the 2023 breach and misled customers about it. The complaint invokes California's Genetic Information Privacy Act and the CCPA.

Information last verified on June 3, 2026. This is a developing story; we update it as the record changes.

Jurisdiction scope: This article addresses a California enforcement action and the California statutes it invokes. It does not state the genetic-privacy law of other states. For your state, see the state data-privacy and data-breach pages.

What Happened

On May 28, 2026, California Attorney General Rob Bonta filed a civil enforcement action, People v. Chrome Holding Co., in San Francisco Superior Court against the San Francisco company now known as Chrome Holding Co., formerly 23andMe. The complaint arises from the company's 2023 data breach. According to the Attorney General, an attacker accessed roughly 14,000 customer accounts, then used the company's opt-in DNA Relatives feature and other weaknesses to reach the profiles of nearly 7 million people, including 855,541 Californians.

The complaint alleges the company failed to take reasonable measures to protect highly sensitive information about customers' health, genetic predispositions, biological relatives, ancestry, and ethnicity. It further alleges the company ignored known vulnerabilities, failed to respond to repeated warnings that its systems had been compromised, and then made untrue or misleading statements about its security and about the circumstances of the breach.

The Attorney General asks the court to impose civil penalties and to enjoin the company from further violations of California's privacy laws. The action follows the company's bankruptcy and rebranding, and it tests whether a successor entity can be held to account for a predecessor's data-security failures. As of June 3, 2026, the company has not answered the complaint and the court has not ruled.

What the Law Actually Says

California regulates consumer DNA-testing companies through the Genetic Information Privacy Act, enacted by SB 41 in 2021 and codified at Civil Code section 56.18 and following. The act requires direct-to-consumer genetic-testing companies to obtain a consumer's express consent for the collection, use, and disclosure of genetic data, and to implement reasonable security to protect it. The complaint pairs that act with the state's Reasonable Data Security Law and with the California Consumer Privacy Act, Civil Code section 1798.100 and following, which the Attorney General and the California Privacy Protection Agency enforce.

The Attorney General also invokes the False Advertising Law and the Unfair Competition Law, the broad statutes California uses to challenge misleading statements and unlawful business practices. Together these laws let the state seek civil penalties per violation and injunctive relief, rather than the individual damages a private class action would pursue.

This action runs alongside private litigation over the same breach. For the consumer-facing framework, see the explainers on California data privacy laws and California data breach notification laws.

Analysis: Why This Matters

The following is analysis from the Recording Law Editorial Team.

Two features of this case stand out. First, it is a genetic-data case, and genetic data is permanent. A breached password can be reset; a breached genome cannot. That is the policy reason California enacted the Genetic Information Privacy Act in 2021, and it is why an enforcement action built on that statute carries weight beyond the dollar figures.

Second, the defendant is a successor. By naming Chrome Holding Co. rather than the pre-bankruptcy 23andMe entity, the Attorney General signals that corporate restructuring is not a clean exit from data-security liability. That theory, if it holds, matters well past this company, because data-rich firms routinely change hands. We are not predicting how the court will rule. The allegations are unproven, and successor-liability questions are fact-specific and contested. What the filing establishes is the state's enforcement posture: California is willing to pursue the entity that holds the data, through bankruptcy and a name change.

How This Affects You

If you were a 23andMe customer, the breach at issue dates to 2023, and notification obligations under California law are addressed in the breach-notification explainer. Consumers who want to limit further exposure generally can request deletion of their account data and ask that any stored biological sample be destroyed; genetic-testing companies subject to the Genetic Information Privacy Act must honor valid deletion and revocation requests. This is general information, not a step-by-step instruction for your situation.

More broadly, an enforcement action is not the same as a consumer payout. Civil penalties recovered by the Attorney General go to the state, not to individuals. Consumers seeking individual compensation typically must look to separate private litigation or any approved class settlement, which proceeds on its own schedule and terms.

This is general legal information, not legal advice. It covers a California enforcement action and the California statutes it invokes, verified on June 3, 2026. Laws change and this story is developing; consult a lawyer licensed in your jurisdiction about your specific situation.

---

Related articles

• California data privacy laws: CCPA and CPRA
• California data breach notification laws
• What is the CCPA?

---

Last updated: 2026-06-03. This is a developing story; details verified as of June 3, 2026.