Last Update: 06/03/2026 at 4:25 AM EST
California Data Breach Liability Battles
Coverage from Bloomberg Law, Reuters, and others
Articles
32
Latest Article
06/02
Active Days
20
Executive Summary
California privacy litigation is being shaped by two active breach tracks: a Supreme Court ruling that refines student-data breach claims under CMIA and the Customer Records Act, and a state lawsuit against 23andMe over the handling of sensitive genetic data. The legal signal is strong and current, with disputes over pleading standards, statutory coverage, and who can be sued after a breach.
Key Points
- California's Supreme Court has clarified that CMIA breach claims do not require proof that an unauthorized person actually viewed exposed medical information.
- The same ruling narrows who counts as a covered provider and limits Customer Records Act standing in school-vendor breach cases.
- Illuminate Education remains the key defendant for student-data breach liability and statutory interpretation in California.
- A separate enforcement track targets 23andMe's handling of genetic data, with the California Attorney General alleging weak security, delayed detection, and misleading breach communications.
- The 23andMe matter involves large-scale exposure of identity-linked genetic and health information, including allegations of dark-web resale and account-takeover risk.
- Bankruptcy proceedings add another layer of uncertainty in the 23andMe dispute by challenging whether California claims can proceed outside the plan process.
- The cluster is dominated by litigation and enforcement rather than new privacy legislation, suggesting a steady focus on how existing laws apply to breach events.
Featured Article
Rob Bonta filed suit in San Francisco Superior Court against Chrome Holding Co., formerly 23andMe, over a 2023 genetic data breach affecting millions of users.
Coverage Timeline: 20 Days
Hover over any logo to see coverage summary, click for full article.
Additional Articles
⭐⭐⭐⭐⭐
Rob Bonta sued 23andMe in San Francisco Superior Court in 2026 over a 2023 breach exposing genetic and other personal data for millions of customers.
Rob Bonta sued Chrome Holding Co. in California over a 2023 breach allegedly exposing millions of users' genetic data through credential stuffing and the DNA Relatives feature.
Rob Bonta filed a civil lawsuit in San Francisco Superior Court in the 2020s accusing Chrome Holding Co. of insufficient security after a 2023 23andMe breach exposed nearly seven million users.
California Attorney General Rob Bonta sued 23andMe in the 2020s over a 2023 genetic data breach, alleging inadequate security, delayed detection, and misleading customer messaging.
Rob Bonta sued 23andMe in San Francisco Superior Court in 2024, alleging inadequate safeguards after a 2023 genetic data breach exposed millions of customers.
California Attorney General Rob Bonta sued Chrome Holding Co. in San Francisco over alleged security failures in a 2023 breach exposing ancestry and genetic data sold on the dark web.
California Attorney General Rob Bonta sued 23andMe in 2026 over a 2023 breach exposing genetic and health data of about 6.9 million customers.
Attorney General Rob Bonta announced a California lawsuit against Chrome Holding Co over a 2023 breach of genetic and ancestry data that expanded through DNA Relatives scraping.
Rob Bonta filed a California lawsuit against 23andMe in 2024 alleging security failures behind a 2023 genetic data breach affecting about 7 million customers.
California Attorney General Rob Bonta filed a 2023-genetic-breach lawsuit against 23andMe in California, alleging insecure systems, credential stuffing exposure, and dark-web sale of genetic data.
Rob Bonta sued Chrome Holding Co in California over a 2023 breach exposing genetic and personal data of about 855,000 residents via credential stuffing.
California Attorney General Rob Bonta sued 23andMe in San Francisco Superior Court in response to a 2023 genetic data breach affecting about 6.9 million U.S. customers.
Rob Bonta filed a lawsuit in San Francisco Superior Court against 23andMe on June 2024 over a 2023 breach impacting nearly seven million users, including 855,541 Californians.
California Attorney General Rob Bonta sued 23andMe in 2023 genetic data breach allegations involving credential stuffing and prolonged undetected access.
California Attorney General Rob Bonta sued 23andMe in San Francisco Superior Court in 2020s over a 2023 genetic data breach, seeking civil fines.
Rob Bonta sued 23andMe in San Francisco Superior Court in May 2025 over a 2023 breach exposing genetic and health information of about 6.9 million customers.
California Attorney General Rob Bonta sued Chrome Holdings in San Francisco Superior Court in connection with a 2023 23andMe breach exposing genetic data.
Rob Bonta filed a lawsuit in California against Chrome Holding Co. for alleged failures protecting genetic and ancestry data after a 2023 security incident.
California Attorney General Rob Bonta sued Chrome Holding Co. in San Francisco Superior Court in 2025 over a 2023 breach exposing about 6.9 million users' ancestry data.
On May 14, 2026, the California Supreme Court ruled in J.M. v. Illuminate Education, Inc. that CMIA breach pleading can rely on significant risk, while narrowing covered healthcare providers.
On May 14, 2024, the California Supreme Court ruled medical-record breach lawsuits can proceed without proof of actual viewing, focusing on significant risk of unauthorized access.
Rob Bonta sued 23andMe in California after a 2023 breach exposed genetic data for nearly 7 million people, including 850,000 Californians.
On May 14, 2026, the California Supreme Court in J.M. v. Illuminate Education replaced the CMIA actually-viewed defense with a significant-risk standard and narrowed customer-standing under the Customer Records Act.
California Supreme Court decided J.M. v. Illuminate Education on CMIA and CRA pleading standards after an educational technology data breach.
⭐⭐⭐
Rob Bonta sued 23andMe in California in connection with a 2023 data breach exposing nearly seven million users, including genetic data.
California sued a 23andMe successor after a 2023 breach, and bankruptcy administrators sought to stop the case in Missouri court.
California Supreme Court ruled a student data breach class action against Illuminate Education Inc. was inadequately pleaded under California medical and customer records privacy laws, then remanded for possible amendment.
Rob Bonta filed a California lawsuit in San Francisco Superior Court against 23andMe on breach-protection allegations affecting millions of customers.
Rob Bonta announced a California lawsuit against 23andMe alleging inadequate protection of sensitive personal information that preceded a 2023 data breach.
Supreme Court plans to file an opinion in J.M. v. Illuminate Education on vendor liability for disclosed student confidential medical and personal data after a breach.
California Attorney General Rob Bonta sued Chrome Holding in 2023 over allegations of negligent security and encryption practices tied to a 23andMe genetic data breach.