In October of 2023, a hacker claimed online that they had 23andMe users’ profile information. We know this as a result of 23andMe’s required statement to the U.S. Securities and Exchange Commission (SEC) on December 1, 2023.
Although only a very small amount of accounts are believed to have been fully accessed at this time (roughly 0.01% of accounts), millions of peoples’ profile information about their ancestry has been compromised. 23andMe estimates that roughly 5.5 million “DNA Relatives” profile files were accessed, and 1.4 million users had their DNA Relatives feature accessed. Additionally, some health-related information related to the users' genetics was also accessed.
A key concern arising from this breach is that identities can be stolen with the information gathered by the hacker. This can cause fraudulent tax returns to be filed and credit cards opened in people’s names, just to name a few potential results. Often, this information goes up for sale on the “dark web” where it will disseminate and be available (likely) forever.
Since October, when the news first broke but the extent of the breach was unknown, dozens of proposed class actions were filed against 23andMe in California federal courts. This is because California was the first state in the country to provide a private cause of action to consumers for data breaches that exposed their sensitive personal information. This private right of action is a key provision in the California Consumer Privacy Act (CCPA), which became effective on January 1, 2020, and allows California residents whose personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices” to seek damages of $100-$750, per incident.
In Pennsylvania, the 2018 Pennsylvania Supreme Court case of Dittman v. UPMC, 649 Pa. 496, 196 A.3d 1036 (2018)may guide forthcoming lawsuits in the Keystone State as a result of this data breach and others.
In Dittman, the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, UPMC) suffered a data breach that led to the disclosure of personal and financial information of 62,000 current and former UPMC employees. The information included the employees’ names, birth dates, Social Security numbers, addresses, tax forms, and bank account information.
A group of these employees filed a class action in Pennsylvania state court against UPMC asserting claims for negligence and breach of an implied contract. The employees’ negligence claim focused on UPMC’s alleged breach of the duties to protect their personal and financial information and ensure the security of their information in light of their special relationship with UPMC. The employees alleged that UPMC failed to adopt, implement, and maintain adequate security measures to safeguard employees’ information and timely recognize that the employees’ information had been compromised. Importantly, the employees further asserted that they incurred damages relating to fraudulently filed tax returns and are now “at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”
Although clearly different from the 23andMe breach, 23andMe requires the disclosure of genetic information to obtain its services. It is yet to be seen if creative plaintiffs’ lawyers attempt to recover from businesses that suffer from data breaches in Pennsylvania under the negligence theory.
If your company suffers a data breach, do not hesitate to reach out to Senior Attorney Corey Bauer, a data privacy and cybersecurity litigation attorney at Houston Harbaugh. These events are time sensitive, and often involve numerous statutory requirements in addition to potential liability.
23andMe Cybersecurity and Data Breach | Hack
The litigation attorneys at Houston Harbaugh, P.C., are accomplished business trial lawyers, providing comprehensive support in litigation across a broad spectrum of matters throughout Pennsylvania, West Virginia, Ohio and other jurisdictions upon a special admission basis. Our clients are regional and national small, medium and large companies and individuals who seek well planned and aggressive, but cost effective litigation. We counsel, we budget, we have a deep bench, we act quickly when needed and we have experienced trial lawyers who know the courts and bench. We serve regularly as local counsel for some of the largest law firms in the country when they have matters in this region.
Henry M. Sneath - Practice Chair
Co-Chair of Houston Harbaugh’s Litigation Practice, and Chair of its Intellectual Property Practice, Henry Sneath is a trial attorney, mediator, arbitrator and Federal Court Approved Mediation Neutral and Special Master with extensive federal and state court trial experience in cases involving commercial disputes, breach of contract litigation, intellectual property matters, patent, trademark and copyright infringement, trade secret misappropriation, DTSA claims, cyber security and data breach prevention, mitigation and litigation, probate trusts and estates litigation, construction claims, eminent domain, professional negligence lawsuits, pharmaceutical, products liability and catastrophic injury litigation, insurance coverage, and insurance bad faith claims.
Samuel H. Simon - Practice Chair
As co-chair of Houston Harbaugh’s Litigation Group, Sam focuses his practice on commercial/business litigation. Sam regularly represents clients in the construction, manufacturing, oil and gas, and wholesale/retail/ distribution industries, as well as individuals in matters such as:
- Construction litigation
- Environmental litigation
- Breach of contract disputes
- Oil and gas litigation
- Restrictive covenants (non-compete agreements)
- Civil rights
- Collections/creditors’ rights
- Lease disputes