California’s attorney general has filed a lawsuit against 23andMe following a significant data breach in 2023 that compromised sensitive customer health information. The complaint alleges that the genomics company did not implement sufficient cybersecurity measures to protect millions of users’ personal data, thereby violating California’s Consumer Privacy Act (CCPA) and related state data protection laws. The breach, which was disclosed earlier this year, involved unauthorized access to a database containing genetic and health data from 23andMe customers. This trove of information includes highly sensitive details such as genetic markers, medical conditions, and ancestry, all of which, if exposed, could have severe privacy and security implications. The incident has intensified concerns about the security practices of direct-to-consumer genetic testing services, which manage vast amounts of biometric and health-related data.

According to the lawsuit, 23andMe failed to perform adequate risk assessments and neglected to implement essential encryption and access controls, leaving the data susceptible to cyberattacks. The attorney general’s office contends that the company’s security measures did not align with industry standards or state regulatory requirements, leading to a breach that might have been avoided with appropriate safeguards. A spokesperson for the California Department of Justice emphasized that companies handling sensitive personal and health information must maintain stringent security protocols to avert unauthorized access and protect consumer privacy. The legal action highlights the necessity for accountability in managing biometric data.

Advertisement

300 × 250

The lawsuit seeks injunctive relief to compel 23andMe to improve its data security practices, impose monetary penalties under the CCPA, and require notification to affected consumers. It also underscores the growing regulatory scrutiny facing companies that collect and process biometric and health data, particularly in states like California with robust privacy frameworks. For Chief Information Security Officers and security technology buyers, this case highlights the critical importance of integrating rigorous data protection controls into platforms that handle biometric and health information. The repercussions of the breach could serve as a warning to organizations that underestimate the risks associated with genomic and health data, which demand not only compliance with privacy laws but also adherence to elevated security standards.

Newsletter

Get the week's best tech coverage.

Free. Read by thousands of HR, tech, and business leaders.

Vendors offering security solutions for environments dealing with sensitive data may see increased demand for advanced encryption, identity and access management, and continuous monitoring capabilities. Meanwhile, organizations must focus on proactive risk assessments and incident response strategies to mitigate the potential impact of breaches involving highly sensitive personal data. The 23andMe incident underscores that lapses in data security can lead to significant legal and reputational damage in a regulatory landscape that increasingly insists on accountability and transparency.

Source: bleepingcomputer.com