healthcare · BleepingComputer
23andMe (now operating under The TTAM Research Institute) has agreed to pay $18 million to settle claims from 43 state attorneys general following its October 2023 data breach. The breach, caused by credential-stuffing attacks that persisted from April to September 2023, compromised the genetic data of 6.9 million customers, with portions later offered for sale on the dark web. Investigators found the company lacked foundational security controls including password blocklisting, multifactor authentication, rate limiting, and intrusion detection monitoring. The company also failed to address unusual login activity and remediate known vulnerabilities, and initially denied the breach before blaming customers' password practices.
For Omniware's healthcare and fintech buyers, this settlement underscores regulatory expectations around sensitive personal data protection. Healthcare providers and genetics-related SaaS platforms subject to HIPAA, state privacy laws, and emerging frameworks like NYDFS must implement baseline defenses—MFA, rate limiting, anomaly detection—and maintain documented vulnerability management and incident response protocols. The multi-state enforcement action and parallel class-action exposure demonstrate that regulators now scrutinize not just breach occurrence but the preventable control gaps that enabled it. An Omniware engagement can scope data security readiness, access control architecture, and monitoring maturity specific to your regulated data sets.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/23andme-to-pay-18-million-in-new-genetics-data-breach-settlement/
Source: BleepingComputer
All briefings