NewsNation

Ashkenazi Jews targeted in 23andMe data breach. What now?

Steph Whiteside

FILE - This undated image made available by the National Human Genome Research Institute shows the output from a DNA sequencer. The much-heralded Human Genome Project was a huge milestone for science, but most of that genetic blueprint came from one man from Buffalo, N.Y. On Wednesday, May 10, 2023, scientists announced they have sequenced the genomes of 47 people from around the world, allowing scientists to be able to look at what's normal and what's not across people and learn more about what genes do and what diseases genetic problems may cause. (NHGRI via AP, File)

(NewsNation) — Genetic testing company 23andMe is facing lawsuits after a data breach targeting those with Ashkenazi Jewish heritage. If you’ve used the company, here’s what you need to know about the breach and how to protect yourself.

What happened with the data breach?

The company admitted to a data breach after a hacker appeared online offering to sell 23andMe user information on the dark web. The information appeared to include around a million users, with Ashkenazi Jews specifically targeted, according to the hacker.


In addition to genetic information, the data included personal identifying information like names, geographic locations and photos.

What is 23andMe doing to protect users?

The company is requiring all users to reset their passwords after the breach and set up multifactor authentication. The company has also promised to notify individual users whose information was compromised.

How is genetic data protected?

Consumer genetic testing does not fall under the Health Insurance Portability and Accountability Act (HIPAA), which requires certain cybersecurity practices be used to protect data.

In addition to not being protected by HIPAA, 23andMe and other companies also may be required to disclose data to law enforcement. While the company has said it uses all available resources to fight law enforcement requests, it can be compelled by a court to disclose data in some cases.

What can I do if my account was compromised?

The first thing to do is to reset your password and set up multifactor authentication. You can also request 23andMe delete your data entirely if you don’t want to risk future breaches.

It’s also a good idea to set up secure passwords for other sites you use, especially if they were the same as your 23andMe login. The company believes a practice called “credential stuffing” was used to get the data, which is done when hackers use credentials from another site to get into a user’s account.

For security, passwords should never be reused on different sites because hackers can get into your other accounts if one is compromised.

What are the risks of sharing genetic information?

In addition to the risk of being compromised by hackers or used by law enforcement seeking to connect a user or their relatives to a crime, data from consumer testing could also potentially be used by an employer or insurance provider to discriminate against someone.