23andMe Should Have Honored Its Duty to Safeguard PII, Says Class Action
Personally identifiable information (PII) from 23andMe’s DNA Relatives feature is “now in the hands of criminal hackers,” said a privacy class action Tuesday (docket 3:23-cv-05464) in U.S. District Court for Northern California in San Jose.
The genetic testing company announced this month that it had been hacked, compromising the names, gender, date of birth, genetic ancestry results, profile photos and geographical location of some DNA Relatives customers who "recycled login credentials" with usernames and passwords that a threat actor may have accessed "without authorization."
Plaintiff Harold Velez, a Florida resident and 23andMe customer since 2020, was required to turn over his PII prior to receiving services from the company, which, based on saliva samples provided by customers, studies an individual’s genome to create personalized genetic reports used for ancestry tracing and genetic health risks. Velez noted the company’s privacy policy promises to maintain the confidentiality of customers’ PII to ensure compliance with federal and state laws. It also states it encrypts all sensitive information and conducts “regular assessments to identify security vulnerabilities and threats,” it said.
The privacy and display settings for DNA Relatives state that it is an optional feature that allows customers to “find and connect with other DNA Relative participants"; that “other 23andMe users will not be able to see you as a match unless you opt in . . . and you will not be able to view your matches in DNA Relatives unless you consent to participate”; and that “you have multiple privacy options to suit your individual preferences,” the complaint said. As a condition of receiving its services, 23andMe requires that plaintiff and class members “entrust it with highly sensitive PII,” the complaint said.
By collecting, using and deriving a benefit from Velez’s PII, 23andMe assumed legal duties and should have known that it was responsible for protecting its “unauthorized disclosure,” said the complaint. The plaintiff wouldn’t have trusted the company with his PII if he had known 23andMe “would fail to implement industry standard protections for that sensitive information.”
In a website post Oct. 6, 23andMe told customers that “customer profile information that they opted into sharing through our DNA Relatives feature, was compiled from individual 23andMe.com accounts without the account users’ authorization,” said the complaint. After learning of “suspicious activity,” 23andMe began an investigation, saying, “We believe threat actors were able to access certain accounts in instances where users recycled login credentials -- that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked.”
In an Oct. 9 update, the company encouraged customers “to take additional actions” to keep their account and password secure. “Out of caution,” the company said it was requiring customers to reset their passwords and is encouraging the use of multifactor authentication. Velez called that an "acknowledgment" that plaintiff and class members face an imminent threat of "fraud and identity theft." In a Friday update, 23andMe said it had “temporarily disabled” certain features within the DNA Relatives tool “as an additional precaution to protect the privacy of our customers.”
Despite the prevalence of high-profile public announcements of data breach and data security compromises, and “despite its own acknowledgment of its duties to keep PII private and secure,” 23andMe “failed to take appropriate steps to protect” Velez’s and class members PII from being compromised, it said.
The class action alleges negligence, breach of implied contract, invasion of privacy and unjust enrichment. Velez seeks a declaration that 23andMe’s existing security measures don’t comply with its duties to provide “reasonable security procedure and practices appropriate to the nature of the information to protect customers’ PII” and that to comply it must maintain reasonable security measures. Among the procedures listed are regular testing of systems, creating firewalls, buying credit monitoring for plaintiff and class members and “meaningfully educating” them about threats they face and steps they must take to protect themselves.
Velez sees equitable relief requiring restitution and disgorgement of revenues wrongfully retained as a result of its wrongful conduct; lifetime credit monitoring services for plaintiff and the class; awards of actual, compensatory, statutory and punitive damages; pre- and post-judgment interest; and attorneys fees and costs.
A 23andMe spokesperson emailed Wednesday that the company doesn’t discuss litigation. He added: “We do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.” The company’s “ongoing investigation indicates threat actors were able to access certain accounts in instances where users recycled login credentials -- that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” he said.