Follow
As incident response and public relations go, blaming victims for your breach is generally not an impressive strategy. Michael Edgar reports that 23andMe seems to be doing exactly that. Read more at https://www.digit.fyi/23andme-says-breach-victims-are-to-blame-legal-action-is-futile/ or you may want to first read 23andMe's letter in which they claim that no breach occurred, but if it occurred, it's been remediated, and 23andMe didn't violate CMIA or GIPA either:
https://www.documentcloud.org/documents/24252535-response-letter-to-tycko-zavareei-llp