Genetic testing company 23andMe and a group of attorneys general nationwide have reached a multimillion-dollar settlement following the major data breach that led to the company’s demise three years ago.
Read more Philly port operator sues to block permit for proposed Delaware container terminal
More than 40 attorneys general, including Pennsylvania‘s Dave Sunday, announced the national $18 million settlement with the genetic testing company Tuesday.
“This company was trusted by millions of Americans to safeguard very private data and information, but failed to do so, learning about a data breach far too late, then pointing fingers at their own customers,” Sunday said in a statement. “I find it appalling that a company dealing with customers’ personal information would be so lax about their system protections, then have the audacity to deny and attempt to wash their hands of wrongdoing.”
As part of the settlement, Pennsylvania will receive $491,902. Nearly 200,000 Pennsylvanians were impacted by the data breach, according to the state attorney general’s office. About 150,000 customers were impacted in New Jersey, which will receive nearly $410,000, said the state’s attorney general, Jennifer Davenport.
Here’s what else we know.
What happened with the 23andMe data breach?
In October 2023, 23andMe launched an investigation after a “threat actor” claimed to have obtainedmillions of users’ personal data.
By December, the company confirmed through a filing with the Securities and Exchange Commission that a hacker directly accessed 0.1% of its users’ accounts, or about 14,000 profiles. Still, because of the networks users can build, connecting their information to possible relatives, the hacker was able to view the information of millions of users.
A spokesperson for the company told news outlets at the time that 6.9 million people had been affected: about 5.5 million customers who had opted into 23andMe’s “DNA Relatives” feature and 1.4 million users whose family tree information was accessed.
Of those customers, 192,093 were in Pennsylvania.
What information was accessed?
Information accessed included:
-
Display name, profile picture, and birth year.
-
How recently they had logged into their account.
-
Their relationship status.
-
Their self-reported location by city and zip code.
-
Predicted relationships with others.
-
DNA percentages users share with their “DNA Relatives.”
An additional 1.4 million customers who used the “DNA Relatives” feature had their “Family Tree” profiles accessed, which includes a limited subset of profile data, the company said.
The hacker activity was contained and required existing users to reset their passwords and enable multifactor authentication, 23andMe said at the time. Still, experts warned consumers that they should consider deleting their accounts.
When did 23andMe declare bankruptcy?
The company declared bankruptcy in March 2025 and eventually was sold.
That’s when states, including Pennsylvania, filed claims related to the data breach investigation. As part of the bankruptcy proceedings, 23andMe’s consumer data was sold to TTAM Research Institute, a nonprofit organization formed by 23andMe founder and former CEO Anne Wojcicki. That sale is bound by new guardrails regarding data security that were put in place with the help of the coalition of attorneys general.
Sundayjoined the lawsuit to prevent 23andMe from selling consumer data as part of its bankruptcy proceedings.
The lawsuit said the California-based genomics biotech company was proposing to sell an “unprecedented compilation of highly sensitive and immutable personal data: a human being’s permanent and everlasting genetic identity.”
The risk of a data transfer was too great, the complaint said, as DNA data are unique to an individual and can be used to identify relatives — past and future. And genomic data live forever, even after a person dies.
“If stolen or misused, it cannot be changed or replaced,” the said.
What happened this week?
A group of 42 state attorneys general announced the $18 million settlement. This is in addition to a $46.75 million class-action settlement arising from the bankruptcy, for affected U.S. consumers who submitted claims by Feb. 17. Impacted customers should have received an email notifying them about their eligibility for the class-action settlement, according to the Pennsylvania attorney general’s office.
All 50 states and territories except for California, Hawaii, Mississippi, Missouri, Montana, Nebraska, Nevada, Rhode Island, and Wyoming were involved in the settlement.
Read more Pa. says it will not hand over voter rolls to federal government in reply to DOJ letter