23andme Lawsuit Data Breach

23andMe faces a $30M settlement and bankruptcy after a massive 2023 data breach exposed millions of customers’ genetic data, raising urgent questions about privacy and legal rights.
Von Wooding, Esq.
5 min read
👨‍⚖️
Are you an attorney? Check out Counsel Stack legal research at www.counselstack.com

Key Takeaways

  1. 23andMe faced over 40 class action lawsuits following a major data breach in 2023, ultimately agreeing to a $30 million settlement and three years of security monitoring for affected customers.
  2. The company filed for Chapter 11 bankruptcy in 2025, citing financial strain from the lawsuits, declining demand, and the need to facilitate a sale of its business.
  3. Customers’ genetic data privacy and legal rights remain a concern, with authorities issuing consumer alerts and advising on data deletion options as bankruptcy proceedings continue.

Overview of the 23andMe Lawsuit

23andMe, a prominent direct-to-consumer genetic testing company, became the focus of intense legal scrutiny after a significant data breach in 2023. The breach exposed the sensitive personal and genetic information of approximately 6.9 million customers. This incident triggered a wave of legal actions, regulatory investigations, and financial consequences that have reshaped the company’s future.

The lawsuits and subsequent bankruptcy proceedings have raised critical questions about data privacy, consumer protection, and the responsibilities of companies handling genetic information. This guide provides a detailed overview of the events, legal claims, settlement terms, and ongoing implications for 23andMe and its customers.

The 2023 Data Breach

Scope and Impact

In October 2023, 23andMe disclosed that hackers had accessed the personal data of nearly 7 million users. The breach included not only names and email addresses but also sensitive genetic information, such as ancestry details and health-related data. The attack exploited a technique known as “credential stuffing,” where hackers used previously leaked passwords from other sites to gain access to 23andMe accounts.

The scale and sensitivity of the compromised data set this breach apart from typical cybersecurity incidents. Genetic data is uniquely personal and can have long-term implications for privacy, insurance, and even familial relationships.

Notification and Response

Following the breach, 23andMe faced criticism for its handling of customer notifications. Many affected users reported delays in being informed about the breach, raising concerns about compliance with state and federal data breach notification laws. The company’s public statements and customer support responses were scrutinized by both regulators and plaintiffs’ attorneys.

For more details, see the official 23andMe statement on the breach.

Allegations Against 23andMe

In the aftermath of the breach, more than 40 class action lawsuits were filed against 23andMe in federal and state courts. The lawsuits generally alleged that the company:

  • Failed to implement adequate security measures to protect customer data.
  • Did not notify affected individuals in a timely manner.
  • Violated various state consumer protection and data privacy laws.
  • Exposed customers to heightened risks of identity theft and discrimination.

Some lawsuits also referenced the potential for genetic discrimination, which is regulated under federal laws such as the Genetic Information Nondiscrimination Act (GINA).

For a summary of the lawsuits, see Reuters coverage.

Settlement Agreement

In September 2024, 23andMe agreed to a $30 million settlement to resolve the consolidated class action lawsuits. The settlement included:

  • A $30 million fund to compensate affected customers.
  • Three years of free security monitoring for those impacted.
  • Commitments to improve data security practices.

The settlement is subject to court approval. Customers who were affected by the breach are eligible to file claims for compensation. Detailed instructions are available on the settlement website.

Regulatory and Consumer Alerts

The breach and legal fallout prompted warnings from government authorities. The California Attorney General issued a consumer alert, advising 23andMe customers to monitor their accounts and consider deleting their data if concerned about privacy. The alert also provided guidance on how to file complaints and seek assistance.

See the California Attorney General’s alert for more information.

Bankruptcy Filing and Business Implications

Chapter 11 Bankruptcy

In March 2025, 23andMe filed for Chapter 11 bankruptcy protection. The company cited the financial burden of the data breach lawsuits, declining demand for its DNA testing services, and the need to facilitate a sale of its business as primary reasons for the filing.

Chapter 11 allows the company to continue operating while restructuring its debts and seeking buyers for its assets. However, bankruptcy proceedings can complicate the settlement process and raise additional concerns about the handling of customer data.

For the official announcement, see 23andMe’s statement.

Customer Data Concerns

The bankruptcy has heightened concerns about the fate of customers’ genetic data. There are questions about whether customer data could be sold or transferred as part of the bankruptcy process. Privacy advocates and some state officials have urged customers to consider deleting their data from 23andMe’s systems.

Guidance on how to delete your data is available from NBC Bay Area.

Declining Demand and Financial Strain

The legal and reputational fallout from the breach has contributed to a sharp decline in demand for 23andMe’s services. The company’s financial reports show significant losses, and the bankruptcy filing is part of a broader effort to stabilize its operations and seek new ownership.

For more on the financial context, see Reuters business coverage.

Marketing and Regulatory Issues

In addition to the data breach litigation, 23andMe has faced lawsuits over its marketing and regulatory compliance. One class action alleged that the company marketed and sold its Saliva Collection Kit and Personal Genome Service without proper approval from the U.S. Food and Drug Administration (FDA).

These claims highlight the complex regulatory environment for genetic testing companies and the risks of marketing products without full regulatory clearance.

For more details, see the Morgan & Morgan Law Firm’s summary.

Changes to Terms of Service

In response to the lawsuits, 23andMe updated its terms of service to include provisions that may limit customers’ ability to participate in future class action lawsuits. These changes are designed to reduce legal exposure but have raised concerns among consumer advocates about access to legal remedies.

A summary of these changes is available in the Wikipedia entry on the 23andMe data leak.

Implications for Consumers and the Industry

Data Security and Privacy

The 23andMe case underscores the critical importance of robust data security measures for companies handling sensitive personal and genetic information. The breach and its aftermath have prompted calls for stronger regulations and better industry standards.

Affected customers have several options, including participating in the settlement, filing individual complaints, or deleting their data. The legal landscape for genetic data privacy is evolving, and this case may influence future legislation and enforcement actions.

Industry-Wide Impact

The fallout from the 23andMe lawsuits and bankruptcy is likely to have ripple effects across the genetic testing industry. Other companies may face increased scrutiny from regulators and consumers, and there may be renewed efforts to strengthen data protection laws.

Conclusion

The 23andMe lawsuit and bankruptcy highlight the serious risks associated with handling sensitive genetic data. The legal, financial, and reputational consequences for 23andMe serve as a cautionary tale for the entire industry. Customers should stay informed about their rights, monitor developments in the bankruptcy proceedings, and consider steps to protect their personal information.

For attorneys and legal professionals seeking in-depth research and case law, visit Counsel Stack.

Disclaimer: This guide provides a general overview of the 23andMe lawsuits and related legal developments. The situation is ongoing, and the information is based on current allegations and public sources as of June 2024. Legal outcomes may change as cases proceed. For specific legal advice, consult a qualified attorney.

Consumer Protection Law Bankruptcy Law Privacy Law
About the author
Von Wooding, Esq.

Von Wooding, Esq.

D.C. licensed attorney Founder at Counsel Stack

Read next

Roblox Lawsuit

DevaCurl Lawsuit

The Phoenix ED Device Lawsuit

Apple Lawsuit Settlement

Angel Lift Lawsuit

Counsel Stack Learn

Free and helpful legal information

AI Legal Research
Counsel Stack Learn

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Counsel Stack Learn.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.