Major Settlement Reached Between 23andMe and Coalition of Attorneys General
In a significant development stemming from a major data breach, a coalition of 42 U.S. attorneys general has secured an $18 million settlement with 23andMe, a prominent genetic testing firm. This settlement comes on the heels of a substantial breach of customer data that the firm experienced in 2023, raising concerned questions about data security protocols within the rapidly evolving genetic testing industry.
Leading the charge in this legal endeavor is New York Attorney General Letitia James, who, alongside the bipartisan coalition, has ensured that stringent new requirements will be implemented to enhance the security of customer data at 23andMe. As part of this settlement, the company will also pay more than $705,000 directly to New York State, underscoring the fallout from the breach.
The breach initially came to light in October 2023, when 23andMe publicly confirmed that unauthorized individuals had gained access to customer profile information through a sophisticated credential stuffing attack. This technique involved exploiting individuals’ poor password management practices rather than breaching the company’s internal network. Consequently, the absence of vital security measures such as multi-factor authentication (MFA) was highlighted as a primary factor contributing to the vulnerability.
The data accessed in the breach had alarming implications, as it encompassed the personal information of over six million individuals, including sensitive data pertaining to their ancestral origins. The magnitude of this exposure raised concerns not only over privacy but also about the ethical considerations surrounding genetic data management.
The situation worsened for 23andMe when, in March 2025, the company filed for bankruptcy protection. Following this filing, Attorney General James issued a statement indicating that her office, along with the coalition, would pursue claims related to the breach. Just a few months later, in June 2025, James and a coalition of 27 other attorneys general took the crucial step of suing 23andMe, reinforcing their commitment to safeguarding Americans’ personal genetic information, particularly in light of the company’s precarious financial state.
During the bankruptcy proceedings, it was revealed that 23andMe’s customer data was sold to TTAM Research, a non-profit organization established by the firm’s founder and former CEO, Anne Wojcicki. This acquisition raised further concerns about the ongoing security of customer data.
In response to these concerns, Attorney General James and her coalition were able to secure new data security measures at TTAM designed to protect consumers’ information against potential future breaches. These measures include conducting appropriate risk assessments, forming an Advisory Board focused on data security, and ensuring that customers maintain the right to delete their personal information should they choose to.
James remarked on the company’s failures, stating, “Companies have a duty to protect their customers’ personal information from hackers, but 23andMe put millions of its customers at risk with its flimsy security measures. New Yorkers trusted 23andMe with their sensitive and personal genetic data, only to find that data stolen and put up for sale on the dark corners of the internet. As a result of our coalition’s action, 23andMe will pay for violating the law, and strict rules will be put in place to protect their customers."
In addition to the $18 million settlement reached, it is noteworthy that an earlier settlement of $46.75 million was approved by a U.S. bankruptcy judge on July 7, aimed at compensating victims affected by the data breach. However, an ensuing legal complication arose when a bankruptcy judge ruled on July 10 that California could not pursue damages against the company due to its ongoing Chapter 11 reorganization plan. The judge provided California with a 14-day window to either dismiss its lawsuit, filed by Attorney General Rob Bonta, or amend the complaint to exclude claims for monetary relief.
Adding to the company’s legal challenges, 23andMe faced a €2.4 million ($2.75 million) fine in July 2026 from the Spanish privacy watchdog due to the compromise of data of 2,642 customers residing in Spain. Furthermore, the organization was also penalized in June 2025 by the UK’s Information Commissioner’s Office with a £2.3 million ($3.1 million) fine for failing to protect customers’ sensitive genetic data adequately.
The multitude of legal actions, fines, and settlements serves as a clarion call for greater accountability and stringent security measures in an era where consumer data protection is more critical than ever. As the technological landscape evolves, the obligation of companies to prioritize customer trust and data integrity remains paramount in safeguarding personal information against future cybersecurity threats.

