Lessons from the 23andMe Breach for Businesses of All Sizes

By /

On May 28, 2026, California’s Attorney General filed a lawsuit against Chrome Holding Co., formerly 23andMe, for failing to protect users’ sensitive data, including genetic data. In 2023, 23andMe experienced a major cybersecurity breach, exposing sensitive data and genetic information for 7 million customers across 14,000 accounts. Although 23andMe’s assets were liquidated in a 2025 bankruptcy proceeding, its data lives on through its successor, Chrome Holding Co.

23andMe provided saliva test kits and analyzed user DNA to provide ancestry and trait information, including health information. The breach exposed not only users’ online data, but also their genetic and health data. The impacts of the breach arguably went beyond customers to those sharing genetic profiles and information with impacted customers.

Despite the scale of the breach and the sensitivity and depth of the information exposed, the mechanism of breach was simple: stolen user credentials, and a failure to implement Multi-Factor Authentication following a 2017 data breach. This incident provides valuable lessons for all kinds of companies, regardless of the data they carry:

  1. Multi-Factor Authentication is increasingly a core security consideration for processors and controllers of sensitive data.
    Even in 2023, when the breach occurred, Multi-Factor Authentication was a widely used tool for protecting user accounts. As the 23andMe breach demonstrates, credentials can be easily stolen. Multi-Factor Authentication provides an extra layer of user verification that can thwart bad actors, whether they gain access to stolen credentials through sophisticated means or plain social engineering. Claimants increasingly cite failures to implement Multi-Factor Authentication as a cause of system compromise.

    This is an especially important consideration for holders of sensitive data, like health or genetic data. See Nunley v. Chelan-Douglas Health Dist., 32 Wn. App. 2d 700, 558 P.3d 513 (2024), a Washington case in which two plaintiffs sued the Chelan-Douglas Health District for negligence in gathering, storing, and securing their personal identifiable information (PII) and personal health information (PHI). In that case, the Court of Appeals, Div. III, not only found that the plaintiffs had sufficiently alleged that they experienced harm as a result of the exposure, but also that the loss of value of that data was a form of recoverable damages.

  2. Harms can compound when data changes hands.
    Many of the stolen credentials in the 23andMe breach came from a prior breach in 2017 affecting one of 23andMe’s former partners, MyHeritage. Data transfer occurs in a wide range of contexts, including with partners and vendors, in transactions, and in entity succession. Whether data has been exposed to breach, and especially when it has, it is a company’s responsibility not only to cover its own bases, but to ensure that any other entities that have access to the data, are taking precautions at least as strong as their own to protect consumer data.

  3. There’s no threshold size for data breach.
    All businesses, no matter what size, handle data. Much of this data might be categorized as sensitive “personal information” under Washington’s Data Breach Notice Statute, RCW 19.255. All it takes to fall within the statute’s definition of personal information is to possess:
    • Individuals’ first names, or first initials and last names, combined with
    • a Social Security Number, driver’s license or ID card number, full date of birth, or medical or biometric data – and many more

A full list of the qualifying data elements can be found under the definition of personal information at RCW 19.255.005(2)(a).

The point here is that it’s very likely for a business to possess sensitive data. No matter how large or small they may be, all businesses have increasing obligations to protect consumer data. In Washington, the Data Breach Notice Statute and the Consumer Protection Act potentially provide for not only compensatory damages, but also treble (triple) damages up to $25,000, plus attorneys’ fees and costs.

If you have or are part of a business, start having conversations today about what data you handle, how you’re protecting it, and how you’re complying with the law. If you are wondering how to navigate that process, please reach out to our firm’s Technology and Data Privacy Practice for help getting started. Start small, but make sure you start today.

About the Authors

Smitha Gundavahjala

Smitha’s practice primarily involves civil litigation and tech and data privacy

Learn More