California Attorney General Rob Bonta has filed a lawsuit against the commercial genetic testing company 23andMe, the latest in a series of legal disputes over a 2023 hack that exposed the DNA of millions of people.
The hacker stole data from 23andMe and put it for sale on the dark web, specifically advertising data from people with Chinese and with Ashkenazi Jewish genetic backgrounds, a point Bonta emphasized made the breach particularly sensitive when he announced the suit on May 27.
“The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence — and explicitly called attention to the deeply personal and identifying nature of that information,” Bonta said. “This is disturbing and incredibly dangerous.”
The lawsuit, filed in San Francisco Superior Court, concerns a 2023 incident in which a hacker stole genetic data on almost 7 million 23andMe customers, including 1 million in California. Bonta alleges that 23andMe violated several state privacy laws requiring heightened protection for genetic information.
The lawsuit alleges that 23andMe’s weak security allowed the attack to go undetected for more than five months and that the company only launched an investigation after the attacker tried to sell the stolen data on the dark web, a part of the internet known for marketplaces of illegal goods, and demanded a ransom.
Suzanne Bernstein, a lawyer with the Electronic Privacy Information Center, a Washington, D.C.-based advocacy group, has been paying close attention to the fallout from the 23andMe hack and considers the new case a significant development.
“It challenges the representations that the company made to consumers about the security of their private sensitive data,” she said. “It also explores what those representations were before and after the breach, and how both were inadequate.”
Of particular concern to Jewish customers was the fact that the hacker offered specific packages of Ashkenazi heritage names and data for sale. According to the lawsuit, 1.1 million people with Ashkenazi heritage and hundreds of thousands of people with Chinese heritage were affected.
While it is unclear what prompted the hacker to sort by Ashkenazi heritage after stealing the data, observers noted that genetic data identifying people as Jewish could be used to target them for harassment and violence. The hacker also offered data on “wealthy families serving Zionism” in the aftermath of a deadly rocket attack at a Gaza hospital in October 2023 and released Chinese heritage data after someone asked for it on the dark web.
“This news came out a few years ago, but even reading about it, of course, it’s chilling how available that information became on the dark web,” Bernstein said.
While the lawsuit mentions the Ashkenazi and Chinese DNA element, the crux of it focuses on 23andMe’s failure “to take obvious steps necessary to safeguard its customers’ sensitive personal information and genetic data related to their health, genetic predispositions and risk factors, biological relatives, ancestry, and ethnicity,” the filing states.
The lawsuit also claims 23andMe was cavalier about a possible breach, failing to be transparent to the public and closing an investigation that could have led it to assess the severity of the situation. The company eventually paid a ransom to the hacker.
The company has not yet responded publicly to the lawsuit.
F. Mario Trujillo, a senior staff attorney at the San Francisco-based Electronic Frontier Foundation, an organization focused on safe-guarding digital privacy and free expression, said in an email to J. that every company that collects personal data has a basic duty to protect it but genetic data requires even more security.
“When a company stores highly sensitive data, its security obligations should also increase,” he said. “Genetic data is that kind of data. It is immutable and can reveal very personal details about us and our families.”
Bonta is suing 23andMe under the Genetic Privacy Act, which was signed in 2021 to address the burgeoning consumer genetic test market. The act requires anyone handling genetic test data to “implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure.”
Bernstein said the 23andMe case underscores the need for such regulations.
“It’s another reminder in the broader conversation that self-regulation isn’t always effective in truly protecting consumer data, especially sensitive consumer data,” Bernstein said.
The company was founded in San Francisco by Anne Wojcicki, part of a Jewish family from Silicon Valley that includes her late sister, Susan Wojcicki, former CEO of YouTube. Anne Wojcicki was previously married to Sergey Brin, one of Google’s two Jewish co-founders.
After the hack and a subsequent $50 million class action suit, the company declared bankruptcy. In 2025, Wojcicki regained control of the company through TTAM Research Institute, a nonprofit she founded and leads.
According to Bernstein, it’s important for consumers to understand what they’re doing when they take a commercial genetic test, as opposed to a genetic test ordered by a doctor for diagnosis, for example. The latter is covered by the Health Insurance Portability and Accountability Act, the 1996 federal law that protects health data. Commercial tests are not protected under that law, she said.
“There’s a common misconception that consumer health data is also covered by HIPAA, maybe just because it’s sensitive,” she said. “But here, all this information is outside of HIPAA’s scope. Even if it’s genetic.”