bytevyte
bytevyte
Language
quick-beats

23andMe Data Breach Settlement: States Win $18 Million Over 6.9 Million Genetic Records Exposed

23andMe data breach settlement

Forty-three state attorneys general have secured an $18 million 23andMe data breach settlement over the October 2023 incident that exposed the genetic profiles of 6.9 million customers worldwide. New York Attorney General Letitia James led the multistate investigation that uncovered the genetic testing company's failure to implement basic security safeguards before the breach occurred.

The investigation revealed that 23andMe did not activate multifactor authentication, lacked tools to detect a breach in progress, and failed to respond to unusual login patterns from the credential-stuffing attack that compromised user accounts. Attackers used stolen passwords from other sites to gain access to 23andMe accounts over several months, extracting ancestry results, ethnicity estimates, health predisposition reports, and family tree data. The multistate probe determined that these failures constituted violations of consumer protection and data security laws.

Washington state will receive roughly $547,000 from the settlement, while North Carolina's share exceeds $666,000. Pennsylvania and New Jersey are each entitled to more than $400,000. Consumers will not receive direct payments from this multistate agreement. The funds will instead support state consumer protection investigations and enforcement programs.

The state settlement runs parallel to a separate class-action agreement approved earlier this month. On July 7, 2026, U.S. Bankruptcy Judge Brian Walsh in St. Louis approved a $46.75 million payout from Chrome Holding, the entity that acquired 23andMe after the company filed for bankruptcy last year. That settlement, reduced by $14.29 million already distributed, goes directly to affected customers whose most sensitive personal information was exposed.

The allowed claims against the bankrupt company totaled $150 million, but the finite bankruptcy funds limited actual recovery to the $18 million figure negotiated by the attorneys general. The breach proved fatal to the company, which entered bankruptcy proceedings after losing customer trust and facing mounting legal costs. The state settlement is one of the larger multistate data breach agreements reached with a defunct company.

Why This Matters

For the millions of people who submitted DNA samples to 23andMe, the 23andMe data breach settlement is a reminder that genetic data carries risks most personal information does not. It cannot be changed like a compromised password. The multistate action sends a signal to any company handling biometric or health data that basic security measures like multifactor authentication are not optional. Regulators are prepared to pursue accountability even after a company collapses, and the case establishes a benchmark for how genetic data must be protected under state consumer protection laws.

✦AI Quality Certified


Researched and cross-referenced against primary sources by the Bytevyte editorial team.