Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1917+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. 23andMe to Pay $18 Million in New Genetics Data Breach Settlement
23andMe to Pay $18 Million in New Genetics Data Breach Settlement
NEWS

23andMe to Pay $18 Million in New Genetics Data Breach Settlement

Genetic testing company 23andMe has agreed to pay $18 million to settle claims from 43 attorneys general that it failed to adequately protect customers' highly sensitive genetic data in a 2023 breach affecting nearly 7 million users.

Dylan H.

News Desk

July 16, 2026
4 min read

Summary

Genetic testing company 23andMe has agreed to pay $18 million to settle claims brought by a coalition of 43 state attorneys general alleging the company failed to protect customers' genetic and personal data in a major breach first disclosed in late 2023. The settlement represents one of the largest state-level data privacy enforcement actions involving biometric and genetic information.

Background: The 2023 Breach

The breach stemmed from a credential stuffing attack in which threat actors used previously leaked username-and-password combinations to access 23andMe accounts. Because many customers had enabled the platform's DNA Relatives feature — which links users to genetic relatives — a single compromised account could expose data from hundreds of connected profiles.

By the time 23andMe disclosed the incident, attackers had accessed the personal data of approximately 6.9 million users, including:

  • Ancestry composition reports
  • Genetic ethnicity percentages
  • Relative match lists
  • Profile photos and display names
  • Birth years and geographic locations

Notably, the threat actors targeted users of specific ethnic backgrounds — Jewish Ashkenazi and Chinese descent in particular — and sold curated lists on criminal forums.

The Settlement

The multi-state coalition alleges that 23andMe:

  1. Failed to implement adequate security controls to prevent credential stuffing attacks, including mandatory multi-factor authentication
  2. Delayed notification to affected users beyond what state breach notification laws require
  3. Misrepresented the security protections in place for sensitive genetic data
  4. Failed to safeguard health-related genetic information under state consumer protection statutes

Under the terms of the $18 million settlement, 23andMe must:

  • Implement enhanced security measures including mandatory MFA for all accounts
  • Improve breach detection and notification timelines
  • Strengthen data minimization practices
  • Submit to independent security audits for a defined period

Company Financial Context

The settlement comes as 23andMe faces severe financial pressure. The company filed for Chapter 11 bankruptcy protection in March 2025 after years of declining revenue and struggles to monetize its genetic database. The bankruptcy process raised additional alarms among privacy advocates and regulators about the fate of the genetic data of more than 15 million customers should the company be acquired or liquidated.

A judge ultimately approved a sale of 23andMe's assets to a buyer, but the disposition of the genetic database remained a contentious issue throughout proceedings, with multiple attorneys general filing objections to any asset transfer that did not include binding privacy protections.

Why Genetic Data Is Different

Unlike passwords or credit card numbers, genetic data cannot be changed. A data breach involving genomic information has permanent implications:

  • Health risk exposure: Predispositions to diseases like Alzheimer's, BRCA-linked cancers, or hereditary conditions can affect insurance eligibility and employment in jurisdictions without strong protections
  • Family linkage: An individual's genetic data inherently reveals information about biological relatives — people who never consented to share their data
  • Law enforcement use: Genetic genealogy databases have been used to identify suspects in criminal investigations, raising concerns about compelled disclosure

The 23andMe breach underscored that genetic testing companies are handling one of the most sensitive categories of personal data that exists — yet many operated under the same security standards as general consumer software.

Regulatory Implications

The 43-state coalition settlement sets a significant precedent for state-level enforcement of genetic data privacy. Several states have enacted specific genetic information privacy laws beyond HIPAA's scope, and this settlement may accelerate legislative efforts in states that lack such protections.

The FTC has also signaled increased scrutiny of health and genetic data practices under Section 5 of the FTC Act. Companies operating in the direct-to-consumer genetics space should expect continued regulatory pressure.

Recommendations for Consumers

If you have or had a 23andMe account:

  1. Enable multi-factor authentication immediately if still using the service
  2. Download your genetic data and review what is stored
  3. Delete your data if you no longer wish to use the service — look for account deletion options, not just profile deactivation
  4. Monitor for identity theft — name, date of birth, and location data exposed in the breach can be used in social engineering attacks
  5. Watch for class action notifications — a separate class action lawsuit was settled for $30 million in 2024; check if you are eligible for compensation

References

  • BleepingComputer: 23andMe to pay $18 million in new genetics data breach settlement
  • FTC Health Breach Notification Rule
#Data Breach#Privacy#Genetics#Settlement#23andMe

Related Articles

23andMe $47 Million Settlement Approved for 7 Million Breach Victims

A bankruptcy administrator has approved a $47 million settlement fund for roughly 7 million 23andMe customers whose genetic and health data was stolen by...

4 min read

California AG Sues 23andMe Over 2023 Breach Exposing Genetic Health Data

California Attorney General Rob Bonta filed a lawsuit against 23andMe — now Chrome Holding Co. — over its failure to protect millions of customers'...

6 min read

Centers Laboratory Data Breach Affects 540,000 Individuals

The WorldLeaks extortion group claims to have stolen 720 GB of data from Centers Laboratory, a healthcare testing and laboratory services provider, exposing sensitive records of over 540,000 individuals.

4 min read
Back to all News