In October of 2023, a hacker claimed online that they had 23andMe users’ profile information. We know this as a result of 23andMe’s required statement to the U.S. Securities and Exchange Commission (SEC) on December 1, 2023.
Although only a very small amount of accounts are believed to have been fully accessed at this time (roughly 0.01% of accounts), millions of peoples’ profile information about their ancestry has been compromised. 23andMe estimates that roughly 5.5 million “DNA Relatives” profile files were accessed, and 1.4 million users had their DNA Relatives feature accessed. Additionally, some health-related information related to the users' genetics was also accessed.
A key concern arising from this breach is that identities can be stolen with the information gathered by the hacker. This can cause fraudulent tax returns to be filed and credit cards opened in people’s names, just to name a few potential results. Often, this information goes up for sale on the “dark web” where it will disseminate and be available (likely) forever.
Since October, when the news first broke but the extent of the breach was unknown, dozens of proposed class actions were filed against 23andMe in California federal courts. This is because California was the first state in the country to provide a private cause of action to consumers for data breaches that exposed their sensitive personal information. This private right of action is a key provision in the California Consumer Privacy Act (CCPA), which became effective on January 1, 2020, and allows California residents whose personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices” to seek damages of $100-$750, per incident.
In Pennsylvania, the 2018 Pennsylvania Supreme Court case of Dittman v. UPMC, 649 Pa. 496, 196 A.3d 1036 (2018)may guide forthcoming lawsuits in the Keystone State as a result of this data breach and others.
In Dittman, the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, UPMC) suffered a data breach that led to the disclosure of personal and financial information of 62,000 current and former UPMC employees. The information included the employees’ names, birth dates, Social Security numbers, addresses, tax forms, and bank account information.
A group of these employees filed a class action in Pennsylvania state court against UPMC asserting claims for negligence and breach of an implied contract. The employees’ negligence claim focused on UPMC’s alleged breach of the duties to protect their personal and financial information and ensure the security of their information in light of their special relationship with UPMC. The employees alleged that UPMC failed to adopt, implement, and maintain adequate security measures to safeguard employees’ information and timely recognize that the employees’ information had been compromised. Importantly, the employees further asserted that they incurred damages relating to fraudulently filed tax returns and are now “at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”
Although clearly different from the 23andMe breach, 23andMe requires the disclosure of genetic information to obtain its services. It is yet to be seen if creative plaintiffs’ lawyers attempt to recover from businesses that suffer from data breaches in Pennsylvania under the negligence theory.
