23andMe has recently reached a major settlement worth $30 million in response to a lawsuit related to a data breach that affected 6.9 million of its customers. The breach, which occurred over a five-month period starting in April 2023, led to the exposure of personal information and prompted the company to offer three years of security monitoring to those affected.
The settlement aims to address allegations that 23andMe failed to adequately safeguard its customers’ privacy and neglected to inform certain groups that their data had been specifically targeted by hackers. The legal agreement, which was initially filed in federal court in San Francisco and is awaiting final approval from the judge, includes cash payments to customers whose data was compromised and enrollment in a Privacy & Medical Shield + Genetic Monitoring program for three years. This program is intended to provide ongoing protection and monitoring in light of the data breach.
According to 23andMe, the settlement is fair, adequate, and reasonable, as stated in a court filing made on Friday. The company also highlighted its uncertain financial situation and requested that arbitrations by tens of thousands of class members be put on hold until the settlement is either approved or they decide not to participate. It is estimated that around $25 million of the settlement costs will be covered by the company’s cyber insurance.
The cyberattack on 23andMe impacted nearly half of the 14.1 million customers in the company’s database at the time. Hackers accessed 5.5 million DNA Relatives profiles and data from 1.4 million customers using the Family Tree feature.
In response to the financial challenges posed by the settlement, 23andMe’s co-founder and Chief Executive, Anne Wojcicki, has been exploring options to take the company private following its initial public offering at $10 per share. Since mid-December, the company’s shares have been trading below $1.
The case, known as In re 23andMe Inc Customer Data Security Breach Litigation, is currently being heard in the U.S. District Court for the Northern District of California under case number 24-md-03098. The legal team representing the plaintiffs may seek up to 25% of the settlement amount in legal fees.
Overall, the settlement marks a significant step towards resolving the fallout from the 23andMe data breach, providing compensation to affected individuals and implementing measures to enhance data security and privacy protections moving forward.