Bankruptcy Court Ruling Limits California’s Legal Claims Over 2023 Data Breach
A U.S. bankruptcy judge has ruled that California cannot seek financial damages from the company that succeeded 23andMe over the genetic testing firm’s massive 2023 data breach, dealing a setback to the state’s efforts to hold the company financially accountable. The decision stems from 23andMe’s Chapter 11 bankruptcy reorganization, which shields its successor company from monetary claims while still allowing certain non-financial legal remedies.
The ruling affects California Attorney General Rob Bonta’s lawsuit, which accused the former genetic testing company of failing to adequately protect sensitive customer information and downplaying the severity of the cyberattack that exposed data belonging to approximately 6.9 million customers.
Bankruptcy Protection Limits State’s Claims
U.S. Bankruptcy Judge Brian Walsh ruled that California cannot pursue monetary relief against Chrome Holding Co., the legal successor to 23andMe, because the company’s Chapter 11 reorganization plan prevents such claims.
However, the judge clarified that California may continue pursuing non-monetary remedies, such as court orders requiring compliance with privacy laws or other corrective measures. The state has been given 14 days to either dismiss its lawsuit or amend it by removing claims for financial damages.
California’s Lawsuit Focused on Data Privacy
California filed its lawsuit in May 2026, alleging that 23andMe ignored warning signs that its systems had been compromised and failed to take sufficient steps to protect highly sensitive genetic information.
The state also claimed the company minimized the seriousness of the breach after it became public and sought potentially millions of dollars in civil penalties for alleged violations of California privacy laws.
What Happened in the 2023 Data Breach?
The cyberattack targeted customer accounts using stolen login credentials, exposing the personal and genetic information of nearly 6.9 million users.
Compromised information included:
- Genetic profile information
- Family relationship data
- Ancestry information
- Personal account details
- Other sensitive customer records
The incident became one of the most significant data breaches involving genetic information in recent years, raising widespread concerns about consumer privacy and cybersecurity.
Bankruptcy Restructuring Changed the Company’s Ownership
23andMe filed for Chapter 11 bankruptcy protection in March 2025, citing mounting legal liabilities, increased competition, and declining demand for its genetic testing services.
Later that year, the company’s assets were acquired for approximately $305 million by TTAM Research Institute, a nonprofit organization controlled by 23andMe co-founder Anne Wojcicki. The business now operates under Chrome Holding Co. as part of its reorganization.
Customer Compensation Continues
Although California’s request for financial penalties has been blocked, customers affected by the breach continue to receive compensation through the bankruptcy process.
Earlier this week, Judge Walsh approved an additional $32.46 million in payments, bringing the total approved compensation for affected customers to $46.75 million. The settlement aims to resolve the majority of claims filed by individuals whose personal information was compromised.
Privacy and Data Security Remain in Focus
The case highlights the growing importance of cybersecurity and data protection for companies handling sensitive personal information.
Organizations that collect genetic or health-related data are expected to maintain robust security measures, including:
- Multi-factor authentication
- Strong password protections
- Continuous network monitoring
- Rapid breach detection
- Transparent customer notifications
The lawsuit also underscores the legal challenges companies may face when cybersecurity incidents expose highly sensitive consumer information.
Legal Implications of the Ruling
While the bankruptcy court protected the reorganized company from financial liability in California’s lawsuit, the ruling does not eliminate broader concerns surrounding corporate responsibility for data protection.
Legal experts believe the decision demonstrates how bankruptcy proceedings can significantly affect ongoing litigation by limiting the types of claims that creditors and government agencies can pursue after a company’s restructuring.
Looking Ahead
The court’s decision marks an important development in the legal aftermath of the 2023 23andMe data breach. Although California can continue pursuing certain non-monetary remedies, its effort to obtain financial penalties against the company’s successor has been blocked by the bankruptcy court.
Meanwhile, compensation for affected customers continues through the approved settlement process, while the case is expected to remain closely watched as a significant example of how bankruptcy law intersects with privacy enforcement and corporate cybersecurity obligations.






