Skip to content

23andMe breach settlement limits recovery to $18 mn claims and payouts

23andMe breach settlement limits recovery to $18 mn

A U.S. bankruptcy judge ruled on July 10 that California cannot seek damages from the company formerly known as 23andMe over a 2023 data breach that exposed genetic and personal information tied to an estimated 6.9 mn customers.

U.S. Bankruptcy Judge Brian Walsh in St. Louis said 23andMe’s Chapter 11 reorganization plan bars the state from pursuing monetary relief against Chrome Holding Co. and an affiliate. California still has room to seek non-monetary remedies.

Maryland Attorney General Anthony G. Brown joined a coalition of 42 attorneys general in a settlement tied to 23andMe’s 2023 data breach, according to Beinsure. The breach exposed genetic data and other personal information linked to 6.9 mn customers worldwide.

Pennsylvanians also to benefit from $46 mn national class-action settlement. Attorney General Dave Sunday joined a coalition of 42 states announcing a $18 mn bankruptcy claim settlement with genetic testing company 23andMe, resolving allegations stemming from a 2023 data breach that compromised the genetic data of 6.9 million consumers worldwide. 

Pennsylvania will receive $491,902. Nearly 200,000 Pennsylvanians were impacted by the data breach. 

“This company was trusted by millions of Americans to safeguard very private data and information, but failed to do so, learning about a data breach far too late, then pointing fingers at their own customers,” Attorney General said.

“I find it appalling that a company dealing with customers’ personal information would be so lax about their system protections, then have the audacity to deny and attempt to wash their hands of wrongdoing.”

The settlement followed 23andMe’s March 2025 bankruptcy filing and an agreement with the Office of the United States Bankruptcy Trustee.

Since the bankruptcy estate holds limited funds and faces many competing claims, the recovery reaches $18 mn. The parties expect payment from available bankruptcy funds immediately.

Brown said Maryland residents trusted 23andMe with personal data, including genetic and ancestry information. He said the company failed to protect those records and then blamed customers for the breach. His office said the settlement gives Maryland residents stronger protection for genetic information going forward.

Walsh ordered California to dismiss its May 28 lawsuit in San Francisco Superior Court within 14 days or amend the complaint and remove claims for monetary relief.

The ruling gives 23andMe a legal win and deals a setback to California Attorney General Rob Bonta. His office accused the company of ignoring warnings that its systems had been compromised and of playing down the scale of the breach.

Bonta sought civil fines that might have reached mn of dollars. His office did not immediately respond to requests for comment.

California argued that Congress did not give bankruptcy judges authority to block state-law enforcement actions in state courts. The attorney general said such rulings risk turning bankruptcy courts into a haven for wrongdoers.

Walsh rejected that argument. He wrote that 23andMe’s reorganization plan did not create such a haven, and even if California saw it that way, the state no longer had grounds to attack the plan through a separate lawsuit.

“Because the state was a party to the Chapter 11 case and was given a fair chance to challenge this court’s subject-matter jurisdiction, the state cannot challenge it now” by pursuing its lawsuit, Walsh wrote.

California filed its lawsuit four months after Walsh approved a fund to resolve most U.S. customer claims linked to the breach.

Walsh authorized a $32.46 mn payment in addition to $14.29 mn already distributed. The move brings total payouts to $46.75 mn.

Palo Alto, California-based 23andMe filed for creditor protection in March 2025. TTAM Research Institute, a nonprofit controlled by 23andMe co-founder Anne Wojcicki, bought the company’s assets for $305 mn last July.

In June, the bankruptcy plan administrator for the genetics-testing company formerly known as 23andMe agreed to pay $46.75 mn to victims under a settlement tied to the company’s data breach. The agreement seeks to resolve litigation that followed one of the largest consumer genetics data exposures in recent years.

Court records from the U.S. Bankruptcy Court for the Eastern District of Missouri show the plan administrator will pay $32.5 mn to settle consolidated class-action lawsuits.

The settlement forms part of the company’s broader bankruptcy process after 23andMe filed for Chapter 11 protection in March 2025.

Nearly $14.3 mn has already gone to Kroll, the settlement administrator. Court documents show cyber insurance policies funded about $13 mn of that amount.

Allied World Specialty Insurance Company, Tokio Marine HCC’s Houston Casualty Company, Berkshire Hathaway’s Landmark American Insurance Company, and various Lloyd’s underwriters issued cyber policies to 23andMe.

The latest settlement total represents a $3.25 mn reduction from the maximum amount under a January 2026 settlement on behalf of the claimant class. The class sought $48 mn in damages, though the court said that amount would expose the bankruptcy estates to prolonged, high-stakes litigation lasting months, or even years.

23andMe disclosed the breach in October 2023. The company said the incident affected 6.9 mn consumers, including 94,298 Maryland and 192,093 in Pennsylvania residents.

The exposed information included customer data and, in some cases, genetic ancestry details. Subsets of the stolen data later appeared for sale on the dark web.

Investigators said 23andMe learned about the breach months after affected personal information had become public. The company first declined responsibility, then argued customers mishandled their passwords.

The breach later showed links to passwords compromised years earlier in a MyHeritage.com incident. MyHeritage had partnered with 23andMe, and thousands of credentials overlapped across both websites.

The attorneys general opened a multistate investigation after the breach. They found unreasonable data security practices across several areas, including protection against credential-stuffing attacks, monitoring, rate limits, intrusion prevention and incident detection.

State investigators also said 23andMe failed to compare passwords against blocklists of known breached credentials or require multifactor authentication. They cited poor review of unusual login patterns, including a sharp spike in login attempts, along with delays in fixing known vulnerabilities and weaknesses in testing product features.

After 23andMe filed for bankruptcy protection in March 2025, the states filed claims connected to the breach investigation. During the bankruptcy process, the company’s assets, including consumer data, went to TTAM Research Institute, a nonprofit formed by 23andMe founder and former CEO Anne Wojcicki.

The attorneys general pushed data protection conditions into the sale terms. Those conditions include stronger security requirements, risk analysis, an Advisory Board, compliance with broad privacy laws without exceptions, and deletion rights for consumers.

TTAM Research Institute has since re-registered as 23andMe Research Institute. According to Beinsure, the settlement structure focuses less on large financial recovery and more on future custody of genetic data, since bankruptcy limits the money available for claims.

Maryland residents also receive protection under the state’s genetic privacy law. That law regulates direct-to-consumer genetic testing companies and requires transparent privacy policies, express consent for collecting or sharing genetic data, and consumer rights to access and delete personal genetic information.

Brown joined attorneys general from Alaska, Alabama, Arkansas, Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Massachusetts, Maine, Michigan, Minnesota, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin and West Virginia.