The bankruptcy plan administrator for the genetics-testing company formerly known as 23andMe agreed to pay $46.75 mn to victims under a settlement tied to the company’s data breach. The agreement seeks to resolve litigation that followed one of the largest consumer genetics data exposures in recent years.
Court records from the U.S. Bankruptcy Court for the Eastern District of Missouri show the plan administrator will pay $32.5 mn to settle consolidated class-action lawsuits.
The settlement forms part of the company’s broader bankruptcy process after 23andMe filed for Chapter 11 protection in March 2025.
Nearly $14.3 mn has already gone to Kroll, the settlement administrator. Court documents show cyber insurance policies funded about $13 mn of that amount.
Allied World Specialty Insurance Company, Tokio Marine HCC’s Houston Casualty Company, Berkshire Hathaway’s Landmark American Insurance Company, and various Lloyd’s underwriters issued cyber policies to 23andMe.
The latest settlement total represents a $3.25 mn reduction from the maximum amount under a January 2026 settlement on behalf of the claimant class. The class sought $48 mn in damages, though the court said that amount would expose the bankruptcy estates to prolonged, high-stakes litigation lasting months, or even years.
The court said continued litigation would cost mn of dollars and consume resources better preserved for stakeholders. That reasoning placed settlement certainty ahead of a longer fight over the full damages demand.
The plan administrator has resolved more than 255,860 claims, according to a June 10 filing. Thousands of claims remain unresolved, including questions around claim size and eligibility.
The settlement does not grant every claimant the same payment, with awards ranging from $50 to $10,000 for extraordinary claims.
23andMe disclosed the breach in an October 2023 blog post. The intrusion began around April 2023 and lasted about five months, affecting nearly half of the 14.1mn customers in the company’s database at the time.
The company said the hacker accessed 5.5mn DNA Relatives profiles, a feature that allowed customers to share information with each other. The attacker also accessed information for another 1.4mn customers who used the Family Tree feature.
The company now operates as Chrome Holding Co. After filing for bankruptcy in March 2025, 23andMe sold much of its assets and was later sold back to co-founder Anne Wojcicki. California attempted to block the sale but did not succeed.
The litigation followed a familiar pattern after large cyberattacks. Two victims filed a class-action lawsuit in the U.S. District Court for the Northern District of California, alleging negligence, invasion of privacy, unjust enrichment, and breach of implied contract.
The complaint, filed Oct. 9 by Monica Santana of Florida and Paula Kleynburd of New York, said victims suffered losses tied to fraud risk, identity theft risk, lost bargain value, out-of-pocket expenses, time spent mitigating the incident, and reduced value of personal identifiable information.
The plaintiffs said breach victims faced a present and imminent threat of fraud and identity theft. Reports at the time said an anonymous hacker offered data from mn of customer accounts for sale, including email addresses, photos, gender, dates of birth, and DNA ancestry information.
The plaintiffs also argued that 23andMe’s breach notice was deficient. They said the company did not explain whether the threat had been contained or how the breach occurred.
In its Oct. 6 blog post, 23andMe said it had recently identified suspicious activity and started an investigation. The company said threat actors appeared to access certain accounts where users had recycled login credentials from other websites compromised earlier.
23andMe said it exceeded industry data protection standards and had obtained multiple ISO certifications for its security programme. The company also said it had offered and encouraged multi-factor authentication for customers since 2019.
According to Beinsure analysts, the 23andMe settlement shows how cyber insurance responds when data breach litigation moves into bankruptcy.
The insurer-funded portion covered only part of the settlement economics, while the remaining claims process still depends on estate resources, court oversight, and individual damage review.
For cyber underwriters, the case remains a warning about biometric and genetic data exposure, credential reuse, class-action severity, and privacy liability after a consumer platform breach.
