California Attorney General Rob Bonta filed a civil lawsuit against Chrome Holding Co. — the successor entity to 23andMe following its 2026 Chapter 11 bankruptcy and asset sale — over the company’s 2023 data breach that exposed genetic health data, ancestry information, and health predisposition reports for millions of users.
California AG’s Lawsuit Targets 23andMe Successor Chrome Holding Co. for 2023 Breach
The suit, filed by AG Bonta, alleges that 23andMe failed to implement adequate security measures ahead of the 2023 breach, was slow to detect and disclose the incident once it occurred, and made misleading public statements that downplayed the scope and severity of the exposure. The 2023 breach exposed DNA information, ancestry data, and health predisposition reports — among the most sensitive categories of personal information, because genetic data is both uniquely identifying and permanent. Unlike a compromised password, genetic information cannot be changed after exposure.
How the 23andMe Lawsuit Survived Chapter 11 Bankruptcy and the Asset Sale to Chrome Holding Co.
23andMe filed for Chapter 11 bankruptcy protection in 2026 and sold its assets to new ownership, which rebranded as Chrome Holding Co. California’s legal action has carried forward against the successor entity. The continuation of the lawsuit through a bankruptcy and ownership transfer is significant: it signals that state regulators view data breach liability as an obligation that follows a company’s data assets, not one that can be extinguished through corporate restructuring. Acquirers of data-breach-exposed companies now face the prospect of inheriting unresolved regulatory enforcement actions alongside the data itself.
The Irrevocable Nature of Genetic Data Exposure and Why the 23andMe Breach Carries Lasting Risk
Genetic data exposure carries a different risk profile than most categories of personal information. A breached password can be reset, a compromised credit card replaced, a leaked address changed. Genetic data — DNA sequences, ancestral composition, health predisposition markers — cannot be altered, and it identifies not only the individual but their biological relatives as well. The 2023 23andMe breach affects all users whose data was included regardless of whether they are currently active customers, and the risk associated with that exposure persists indefinitely.
Precedent for Data Breach Liability Through Corporate Transactions
The California AG’s decision to pursue Chrome Holding Co. rather than accepting that liability was discharged in the bankruptcy establishes a potential precedent for how state regulators approach data breach liability in M&A and distressed asset transactions. Companies acquiring data-rich assets from breached predecessors may face due diligence obligations that extend to assessing unresolved regulatory exposure — and the regulatory appetite to pursue enforcement even after ownership changes hands.
