23andMe $30M Settlement Fund to Resolve Data Breach Lawsuit

September 19, 2025HIPAA News0

23andMe decided to resolve a class action lawsuit that was related to a breach of customer records in 2023. The breach transpired in October 2023 and led to the theft of information of 6.9 million persons, approximately 50% of its customers. There was no compromise of 23andMe’s network; rather, the attacker performed a credential stuffing attack, which allowed access to some client accounts. Approximately 14,000 individual accounts had been compromised, about 0.1% of its clients.

When the attack was uncovered, 23andMe attributed it to the poor security habits of customers. The accounts can only be accessed when the affected clients have utilized identical usernames/passwords that were used for accounts on different platforms. As soon as those third-party platforms suffered data breaches and credentials theft, they may be used to log into other accounts where the credentials were applied, which in this situation was 23andMe.

Records acquired from those accounts contained uninterrupted raw genotype records, health predisposition information, and carrier-status records. The threat actor likewise used the DNA Relatives option, which permits people to match their DNA relatives. With that feature, the threat actor viewed the profile data of approximately 5.5 million 23andMe consumers, including the Family Tree data of an extra 1.4 million individuals. The threat actor then posted datasets for sale, which include clients with Jewish and Chinese roots.

23andMe faced over 2 dozen legal cases as a result of the data breach. The plaintiffs’ legal representatives stated that the Jewish datasets made available for sale can be used as a listing to target Jews, whereas the Chinese dataset may be employed by the People’s Republic of China intelligence services to attack dissidents. Though access to the 14,000 accounts was a result of users’ password recycling, attorneys for the plaintiffs contended that 23andMe should have implemented extra security measures for users’ sensitive information.

They alleged that 23andMe ought to have been cautious of a potential cyberattack, and should have done something to lower risk, and should have set adequate data breach measures. The provider should have warned users with Jewish and Chinese ancestry that the datasets were exposed and that they could likely be attacked. The lawsuits additionally claimed that 23andMe lied about data security and did not use protections according to industry specifications, then lied about the extent and severity of the breach.

Attorneys for the plaintiffs and class asserted that under the Illinois Genetic Information Privacy Act (not HIPAA as 23andMe is not a healthcare entity), some class members were supposed to be compensated for around $3 billion in damages. In its yearly report, 23andMe stated that it has approximately $216 million in cash; therefore, moving forward with the legal action may contribute to 23andMe declaring bankruptcy.

The court gave preliminary approval of a $30 million settlement before 23andMe filed for bankruptcy in March 2025 to raise its value by means of a court-administered sale. A non-profit company led by ex-23andMe CEO Anne Wojcicki purchased 23andMe for $305 million in July 2025. The sale made more resources accessible to pay for claims submitted by people impacted by the data breach.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.