The 2023 Breach and Credential Stuffing Attack
In 2023, genetic testing company 23andMe suffered a data breach that compromised the personal and genetic information of approximately 6.9 million individuals, including over 855,000 California residents. The attack used credential stuffing, a technique where stolen usernames and passwords from one platform (in this case, MyHeritage) were reused to access accounts on another. This allowed threat actors to mine sensitive genetic data from 23andMe’s DNA Relatives feature over a five month period. The breach was only discovered when the stolen data appeared for sale on a dark web forum in October 2023.
Implications for Healthcare Organizations and Patient Data
For healthcare organizations, this case underscores the critical importance of protecting patient genetic and biometric data, which falls under PHI and is subject to HIPAA and state privacy laws. The California AG alleges that 23andMe failed to implement adequate security measures, such as multi-factor authentication or monitoring for credential reuse, which allowed attackers to exploit weak account hygiene. Healthcare entities handling genetic testing data, clinical trial records, or patient DNA samples should treat this as a warning: similar vulnerabilities in hospital patient portals, lab systems, or EHR platforms could expose highly sensitive patient data, leading to identity theft, discrimination risks, and regulatory penalties.
What This Means for Hospital CISOs and Compliance Officers
Hospital security leaders should review their authentication policies and ensure that credential stuffing protections like multi-factor authentication, rate limiting, and breach monitoring are in place for all user facing systems. The 23andMe case also highlights the risk of third party data sharing agreements, as seen with the MyHeritage connection. Health systems should audit their vendor relationships and data flow agreements to ensure that patient data passed to labs, research partners, or genealogical services is subject to the same security standards. The $50 million settlement and AG lawsuit demonstrate that regulators are holding organizations accountable for genetic data breaches. Healthcare CISOs should proactively implement safeguards to avoid similar exposure of patient genetic information.
Source: Hipaajournal
