> Huge HIPPA violation as well.

It's HIPAA.

IANAL: And unless 23andMe meets the HIPAA definition of a "covered entity", which I'm not sure they do, they're not going to be covered by HIPAA.

Right but the hackers are not covered entities.

That's not how HIPAA works. 23andme would be, or would not be, the covered entity, and the entity bound by HIPAA.

I dunno, they offer blood tests ordered by a clinician. That probably creates a covered entity.. then the hackers get the phi data, they for sure do not have a business associates agreement with 23andme. May only matter for the blood draws.