Patrick Capstick and a multitude of plaintiffs have filed a lawsuit against the biotechnology company 23andMe, Inc., accusing it of failing to protect their sensitive genetic information. The complaint was lodged on November 7, 2024, in the Superior Court of California, Santa Clara County. This legal action follows a significant data breach that compromised millions of customers' private information.
The lawsuit centers around an October 6, 2023 announcement by 23andMe that unauthorized actors had accessed customer accounts and obtained personal identifying information (PII), including names, birth dates, genetic ancestry, and more. Plaintiffs argue that this breach was due to the company's negligence in implementing adequate cybersecurity measures. They allege that despite knowing the risks associated with storing such sensitive data, 23andMe failed to secure it properly. The plaintiffs claim this oversight led to their PII being stolen and offered for sale on the dark web.
The plaintiffs accuse 23andMe of violating several laws, including the Illinois Genetic Information Privacy Act (GIPA), negligence, breach of contract (both actual and implied), invasion of privacy through intrusion upon seclusion, and unjust enrichment. They assert that the company’s failure to maintain robust security protocols not only breached its duty of care but also violated promises made in its privacy policy. "Privacy is in our DNA," advertised by 23andMe, is cited as a misleading assurance given their alleged lax security practices.
As a result of these alleged failures, plaintiffs claim they have suffered various harms such as identity theft threats, loss of time and money spent mitigating these effects, diminished value of their PII, and ongoing vulnerability to future cyberattacks. They are seeking damages under GIPA—$2,500 per negligent violation or $15,000 per intentional or reckless violation—as well as compensatory damages for other claims. Additionally, they request injunctive relief requiring 23andMe to enhance its data protection measures significantly.
Representing the plaintiffs are attorneys from Potter Handy LLP: Mark Potter, Barry Walker, Jim Treglio, Christina Carson, and Tehniat Zaman. The case is being overseen by Judge J. Nguyen under Case ID: 24CV451257.