Genetic testing company 23andMe is among the latest corporate targets of state attorney general enforcement in the wake of a data breach. The Connecticut Attorney General’s investigation into 23andMe arises as several state attorneys general are increasingly prioritizing investigations and enforcement in the cybersecurity and data privacy arena.
State Attorney General enforcement of data breach and data security matters generally
Through their roles as consumer protection enforcers, state attorneys general have asserted broad enforcement authority over data breach and data security matters in their respective jurisdictions. In addition, more than a dozen states have enacted or are close to passing comprehensive state privacy laws, some of which have already and others that are due to take effect over the next few years. States also have separate data breach notification statutes that require companies to notify state attorneys general and other authorities after a breach occurs.
The 23andMe data breach and its aftermath
After 23andMe disclosed the unauthorized access of “customer profile information” shared through its “DNA Relatives” feature, Connecticut Attorney General William Tong sent the company a letter on October 30, 2023, regarding 23andMe’s compliance with the state’s recently adopted comprehensive consumer privacy law—the Connecticut Data Privacy Act (CTDPA), which vests the attorney general with exclusive authority to enforce the Act. The letter to 23andMe included fourteen (14) requests for information regarding the nature and extent of the data breach, the company’s response, and 23andMe’s policies and procedures regarding privacy and data security.
The nature of information stolen in the 23andMe data breach is likely at least one reason for Attorney General Tong’s inquiry. In addition to information, including l customers’ names and dates of birth, the attackers also stole certain 23andMe users’ genetic ancestry results. Attorney General Tong’s letter specifically references that the attackers who targeted 23andMe’s systems appear to have focused on data profiles pertaining to individuals with specific genetic heritages, including Ashkenazi Jews and those with Chinese ancestry. In AG Tong’s words:
“The increased frequency of antisemitic and anti-Asian rhetoric and violence in recent years means that this may be a particularly dangerous time for such targeted information to be released to the public,” he wrote. Indeed, private plaintiffs have alleged that following the breach, their exposed user data was advertised for sale on the “dark web.”
In December 2023, 23andMe completed its investigation of the incident and announced that the breach was achieved by “credential stuffing,” an increasingly common type of cyberattack in which threat actors attempt to infiltrate online accounts with usernames and passwords stolen from other unrelated sites. Attorney General Tong’s letter to 23andMe asserts that, even if achieved by “credential stuffing,” this would not absolve 23andMe of its responsibility to comply with Connecticut’s breach notification statute, which requires that notice be provided to the state AG and all affected state residents “without unreasonable delay” and no later than sixty (60) days after discovery of a breach of security. The letter further noted that as of October 30, 2023, 23andMe had “not submitted a breach notification pursuant to Connecticut’s breach notification statute[.]” Failure to provide proper notice can constitute a violation of the Connecticut Unfair Trade Practices Act (CUTPA).
Additional legal inquiries and civil litigation arising from the 23andMe breach
In addition to the Connecticut Attorney General’s investigation, 23andMe faces at least thirty (30) individual and putative class action lawsuits related to the data breach. In late December 2023, 23andMe requested that the federal cases be transferred to a multi-district litigation (MDL) for consolidated pre-trial proceedings.
The data breach has also attracted Congressional scrutiny. Ranking Member of the Senate Committee on Health, Education, Labor and Pensions (HELP), U.S. Sen. Bill Cassidy of Louisiana sent 23andMe a public letter expressing “significant concern” about the breach and requesting information from the company about its security protocols, privacy controls, discovery and response to the breach, and efforts to compensate affected users.
During a hearing on February 22, U.S. District Judge Edward Chen, who is presiding over the majority of the 35 lawsuits against 23andMe in the Northern District of California, indicated his intention to defer any decisions until the U.S. Judicial Panel on Multidistrict Litigation determines whether to consolidate the cases into multidistrict litigation. The panel has slated the cases, which 23andMe seeks to have transferred to California's Northern District, for consideration during its March 28 hearing in Charleston, South Carolina.
Looking ahead
Recent healthcare data breach investigations and related settlements pursued by state attorneys general offer some indication as to where Attorney General Tong’s investigation may lead. In November 2023, New York Attorney General Letitia James secured a $450,000 settlement from a nationwide radiology provider for failing to protect more than 92,000 New York patients’ personal and health care data. The information stolen in a ransomware attack included medical information such as patient IDs, health insurance ID numbers, dates of service, provider names, types of radiology exams, and diagnoses. Similarly, in October 2023, thirty (30) state attorneys general (including Attorney General Tong) announced a settlement with Inmediata over the exposure of the health information of 1.5 million consumers. The settlement resolved the states’ allegations that Inmediata violated HIPAA and state breach notification laws.
Outside of the health care context, state attorneys general investigations of data breaches have resulted in multi-million-dollar settlements. For example, in November 2023, Attorney General Tong and the Attorneys General of New York, Florida, Indiana, New Jersey, and Vermont announced a $6.5 million settlement with a major financial institution for negligent internal data security practices that compromised customer personal information. Like this breach, the 23andMe incident involves millions of affected customers.
As cybersecurity threats become more prevalent and threat actors use increasingly sophisticated modes of attack, state attorneys general are ramping up their enforcement activity. On December 6, 2023, several state attorneys general announced they had signed Memoranda of Understanding with the Federal Communication Commission’s Privacy and Data Protection Task Force to share expertise and resources and coordinate efforts in conducting privacy, data protection, and cybersecurity-related investigations. The FCC Task Force, led by the Chief of the FCC’s Enforcement Bureau, offers partner states like Connecticut, Illinois, New York, and Pennsylvania, the expertise of the FCC’s enforcement staff and additional resources to support investigations by state attorneys general. This promise of increased interagency cooperation will likely bolster the investigatory bandwidth and ability of state attorneys general to respond swiftly to future data breaches with investigations and enforcement actions.
Data breaches, including those involving healthcare data, are a concerning trend that shows no signs of abatement. For example, on December 27, 2023, Transformative Healthcare filed a notice of data breach with the Attorneys General of Maine and Montana after discovering that an unauthorized party accessed over 900,000 customers’ medical information related to the company’s former subsidiary, Fallon Ambulance Services. As we enter 2024, cybersecurity incidents like the 23andMe breach will likely invite scrutiny from state attorneys general asserting expanded legal and investigatory power. Over the past few months, state attorneys general have announced multiple settlements with entities that suffered cybersecurity incidents, such as Inmediata, which resolve allegations related to purported inadequate data security controls and processes.
