California’s 23andMe Lawsuit Update

Subject Matter Expert –
23 And Me lawsuit

23andMe Data Breach Litigation: Settlement Terms and Consumer Impact

Synopsis from Law360 7/14/2026

23andMe has agreed to a $46.75 million national class-action settlement for eligible U.S. consumers affected by its 2023 data breach.

The settlement was reached through the company’s bankruptcy proceedings and applies to affected consumers who submitted claims by the February 17, 2026, deadline.

The breach affected approximately 6.9 million consumers worldwide and may have exposed genetic ancestry data, family relationship information, personal profile details, and other sensitive account information.

Separate $18 Million Multistate Resolution

Separately, a coalition of 42 states reached an $18 million bankruptcy claim settlement with 23andMe over allegations that the company failed to maintain reasonable cybersecurity safeguards.

Recoveries will be distributed among participating states based in part on the number of affected residents.

New Jersey will receive nearly $410,000 for approximately 150,000 impacted residents, while Pennsylvania will receive $492,902 for nearly 200,000 affected residents. New York, where approximately 305,000 residents were impacted, will receive a proportionate share.

The multistate resolution is separate from the $46.75 million class-action settlement.

Allegations Related to the Breach

Attackers reportedly used credential stuffing, a tactic that relies on usernames and passwords stolen from other websites to access accounts where consumers reused login information.

The multistate investigation alleged that 23andMe failed to implement appropriate protections, including multifactor authentication, password screening, rate limiting, intrusion prevention, system monitoring, and adequate review of unusual login activity.

The states also alleged that the company initially denied that a breach had occurred and later attributed the incident to consumers’ password practices.

Bankruptcy and Transfer of Consumer Data

23andMe filed for bankruptcy protection in March 2025. During the proceedings, its assets, including consumer data, were sold to TTAM Research Institute, a nonprofit formed by 23andMe founder and former CEO Anne Wojcicki.

The organization was later registered as the 23andMe Research Institute.

The sale included enhanced cybersecurity requirements, risk assessments, privacy-law compliance obligations, an advisory board, and continued consumer data-deletion rights.

Eligible claimants should continue monitoring communications from the settlement administrator for updates on claim status, payment timing, or requests for additional information.

 

 

Synopsis from Law.com: California Attorney General Rob Bonta has filed suit against Chrome Holding Co., formerly known as 23andMe, alleging the genetic testing company failed to adequately protect highly sensitive customer data during a 2023 breach that impacted 7 million people nationwide, including more than 855,000 Californians. The complaint claims the company’s security protocols were insufficient, allowing a threat actor to operate undetected for months before stolen genetic, health, ancestry, and personal data appeared for sale on the dark web. (California DOJ Attorney General) 

The lawsuit also alleges that 23andMe failed to respond to warning signs, including suspicious login activity and online discussions about a breach, and later misled consumers about the severity of the incident and the company’s role in it. The matter underscores the growing scrutiny around data privacy, cybersecurity controls, consumer notification, and the handling of sensitive genetic and health-related information. (Reuters) 

For law firms managing complex data breach, privacy, consumer protection, or class action matters, this litigation highlights the operational demands that follow large-scale exposure events, including claimant identification, data organization, notice support, documentation workflows, settlement administration, and ongoing claimant.  

Managing complex data breach or privacy-related claims? Verus helps law firms organize claimant data, streamline communications, support settlement administration, and manage high-volume litigation workflows with clarity and control. 

Contact Verus to learn how we can support your next complex matter. 

 

Disclaimer: This article provides information for general knowledge and informational purposes only, and does not constitute legal advice. Readers should consult with qualified legal counsel for advice tailored to their specific circumstances.

Share This