Following a data a breach that exposed genetic and ancestry information for 6.9 million customers, 23andMe said it will settle a $30 million class action lawsuit accusing it of failing to protect users from a 2023 data breach.
The San Francisco-based company, which allows users to submit genetic materials and get a snapshot of their ancestry, announced in October 2023 that hackers had accessed customer information in a data breach, but the company didn't confirm the full extent of the incident until December. Around half of the company's 14 million users saw their personal information exposed in the leak, which first began in April 2023.
The lawsuit accusing the company of not doing enough to protect its customers was filed in January of this year. The suit also accused 23andMe of not notifying certain customers with Chinese or Ashkenazi Jewish ancestry that their data was targeted specifically and spread on the dark web. As part of the proposed settlement, which still requires preliminary court approval, the company will provide as much as $10,000 to qualifying customers, depending on the hardships they incurred, as well as other security services.
"We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all US claims regarding the 2023 credential stuffing security incident," a 23andMe spokesman told CNET. "We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement."
Here's what we know about the terms of 23andMe data settlement. For more on recent settlements, read about how you might be able to claim money from CashApp and who is eligible for a real estate agent fee settlement.
How many people were impacted by the 23andMe data breach?
The settlement will cover roughly 6.9 million 23andMe users whose data was targeted in the leak. To qualify for the proposed settlement, 23andMe users must also have been a resident of the US on Aug. 11, 2023.
That 6.9 million number includes around 5.5 million users of 23andMe's DNA Relatives profiles, which lets users find and connect with genetic relatives. The other 1.4 million people affected by the breach used another service known as Family Tree, which predicts a family tree based on the DNA users share with relatives, 23andMe said.
How much money could you get as part of the settlement?
At the top end, 23andMe has said that it will pay out up to $10,000 with an "Extraordinary Claim" to users who can verify that they suffered hardships as a direct result of their information being stolen in the data breach that resulted in unreimbursed costs. This includes costs resulting from "identity fraud or falsified tax returns," from acquiring physical security systems, or from receiving mental health treatment.
Residents of Alaska, California, Illinois and Oregon who were impacted by the breach can also apply for a payment as part of the proposed settlement, since those states have genetic privacy laws with damages provisions. The payments for these individuals are expected to be around $100, depending on how many people file for them, a settlement document said.
Also, a smaller subset of affected users whose personal health information was impacted by the breach will be able to apply for a payment of $100.
23andMe Settlement Payouts
| 23andMe approximate payouts | To qualify |
|---|---|
| Up to $10,000 | An "Extraordinary Claim" for losses incurred |
| Up to $100 | Residents of Alaska, California, Illinois or Oregon |
| Up to $100 | Others who had health information stolen |
Will the settlement include anything else?
Beyond those payments, 23andMe will also offer impacted users three years of a security monitoring service called Privacy Shield, which filings described as providing "substantial web and dark web monitoring."
Can you apply for settlement yet?
As of now, there's no way to apply for a payment as part of this proposed settlement. CNET will provide updates on this aspect of the story as they become available.
For more, read this explainer on how class-action lawsuits work.