Popular biotech company 23andMe is facing yet another class action lawsuit over claims that it failed to protect user data after a cyber security breach went undetected for over five months. This newest lawsuit was filed in a federal court in San Francisco after the company notified the California Attorney General’s Office of the security breach that occurred in late April 2023 and went undetected until September. The breach was not reported until October.

There have been several lawsuits filed against 23andMe following the data breach, with the most recent class action complaint filed in late December by plaintiff Alyson Hu in Illinois federal court.

Hu had used the company's services but after the cyber attack, she says her Personal Identifying Information (PII) including her name, username, birth year, regional location, and profile picture had been stolen and sold on the dark web.

Her lawsuit alleges that 23andMe violated the Illinois Genetic Information Privacy Act (GIPA), among other common law violations. While the hackers were able to access about 14,000 customer accounts using a brute-force attack, it’s believed that the data of nearly seven million users, about half of 23andMe’s customers, was stolen.

This new class action lawsuit in California argues the company violated the California Privacy Rights Act (CPRA) and the California Confidentiality of Medical Information Act (CMIA). Both laws require companies that handle customer personal data to safeguard that information.

The lawsuit and recent reporting from The New York Times details that the cyber attack seemed to specifically target the profiles of Chinese and Ashkenazi Jewish users. The NYT notes that their genetic information appears to have been aggregated into “specially curated lists” that were then sold on the dark web.

An alleged hacker who identifies himself only as “Golem” says he leaked the personal data of users with Jewish ancestry on the dark web. Among the data leaked was the user's full name, birthdate, and home address. In the online forum he used to leak the data is additional information that links to the personal information of over 100,000 Chinese user profiles. It's not yet clear if any of the leaked data has been used to attack or target specific individuals. However, after any data leak, a victim is advised to take mitigation measures including changing passwords, monitoring their credit, and strengthening accounts that link to financial institutions. These are all actions that can prove costly and time-consuming to any victim.

An attorney for the California plaintiffs shares with the Times, “Now when we look at data breaches, our first concern will be whether the information will be used to physically harass or harm people on a systematic, mass scale,” adding, “The standard for when a company acts reasonably to protect data is now a higher one, at least for the type of data that can be used in this manner.”

23andMe has pushed back against the lawsuits and claims that they are not fully to blame for the leaked data.

The company has publicly said that users are in part to blame because they may have failed to safeguard their login information both on 23andMe and other platforms. “Users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe,” the company defended in a letter to victims. “The incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures.”

The letter goes on to push back against the alleged violations of the CPRA, CMIA, and GIPA. The letter explains that any data that was potentially collected during the breach can not be used for any harm as it is limited to generic PII.

The lawsuit defends that there was no “medical information” about users that was allegedly disclosed without permission and that as such a violation of the CMIA could not have occurred.

The letter also pushes back against claims that the GIPA was violated. The letter defends, “23andMe does not believe that the Illinois law applies here. But even if Illinois law were to apply, plaintiffs’ claims are meritless. Your letter alleges that 23andMe violated GIPA because of 23andMe’s alleged failure to safekeep plaintiffs’ ‘genetic information,’ but, as set forth above, the incident was a result of users’ failure to safeguard their own account credentials, for which 23andMe bears no responsibility.”