Attorney General Slams Company’s Security Measures as “Lax” Over Failed Breach Investigations

California Attorney General Rob Bonta filed a lawsuit on May 28, 2026, against Chrome Holding Co., the company formerly known as 23andMe. The legal action follows a 2023 data breach that compromised the sensitive personal and genetic information of nearly 7 million users across the United States.

The lawsuit, filed in San Francisco Superior Court, specifically highlights the impact on California residents, noting that 855,541 individuals in the state were affected by the breach.

The compromised information included highly sensitive genetic data, such as health conditions, genetic predispositions, and risk factors. The breach also exposed data related to biological relatives, ancestry, and ethnicity.

Allegations of Security Failures

According to the complaint, Chrome Holding Co. Failed to implement and maintain reasonable security procedures to protect its customers’ most sensitive data. The Attorney General alleges that while the company publicly promoted its commitment to transparency and data privacy, it did not take reasonable measures to secure its systems.

The investigation conducted by the Attorney General’s office found that the company ignored known vulnerabilities within its systems. The lawsuit claims the company failed to properly investigate or respond to numerous warnings that its systems had been compromised.

Beyond the technical failures, the state alleges that the company misled both the public and its customers regarding crucial aspects of the 2023 data breach, specifically concerning the severity of the event.

23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach. Our investigation found that the company failed to take basic steps to protect users’ data — data including the sensitive personal information, family histories, and health conditions of consumers,

Attorney General Rob Bonta

Regulatory and Legal Context

The lawsuit asserts that the company’s failure to meet its obligations under California law to protect consumer information was unlawful. The focus of the legal action is the intersection of cybersecurity negligence and the failure to provide honest disclosures to affected users.

The genetic data involved in the breach is considered particularly sensitive because it encompasses not only the individual user’s health risks and family histories but also information that can impact biological relatives.

The Attorney General’s office maintains that the company’s inability to act on warnings of compromise and its subsequent misleading statements regarding the breach’s scope constitute a significant failure in corporate responsibility toward consumer privacy.