Summary
Genetic testing company 23andMe has agreed to pay $18 million to settle claims brought by a coalition of 43 state attorneys general alleging the company failed to protect customers' genetic and personal data in a major breach first disclosed in late 2023. The settlement represents one of the largest state-level data privacy enforcement actions involving biometric and genetic information.
Background: The 2023 Breach
The breach stemmed from a credential stuffing attack in which threat actors used previously leaked username-and-password combinations to access 23andMe accounts. Because many customers had enabled the platform's DNA Relatives feature — which links users to genetic relatives — a single compromised account could expose data from hundreds of connected profiles.
By the time 23andMe disclosed the incident, attackers had accessed the personal data of approximately 6.9 million users, including:
- Ancestry composition reports
- Genetic ethnicity percentages
- Relative match lists
- Profile photos and display names
- Birth years and geographic locations
Notably, the threat actors targeted users of specific ethnic backgrounds — Jewish Ashkenazi and Chinese descent in particular — and sold curated lists on criminal forums.
The Settlement
The multi-state coalition alleges that 23andMe:
- Failed to implement adequate security controls to prevent credential stuffing attacks, including mandatory multi-factor authentication
- Delayed notification to affected users beyond what state breach notification laws require
- Misrepresented the security protections in place for sensitive genetic data
- Failed to safeguard health-related genetic information under state consumer protection statutes
Under the terms of the $18 million settlement, 23andMe must:
- Implement enhanced security measures including mandatory MFA for all accounts
- Improve breach detection and notification timelines
- Strengthen data minimization practices
- Submit to independent security audits for a defined period
Company Financial Context
The settlement comes as 23andMe faces severe financial pressure. The company filed for Chapter 11 bankruptcy protection in March 2025 after years of declining revenue and struggles to monetize its genetic database. The bankruptcy process raised additional alarms among privacy advocates and regulators about the fate of the genetic data of more than 15 million customers should the company be acquired or liquidated.
A judge ultimately approved a sale of 23andMe's assets to a buyer, but the disposition of the genetic database remained a contentious issue throughout proceedings, with multiple attorneys general filing objections to any asset transfer that did not include binding privacy protections.
Why Genetic Data Is Different
Unlike passwords or credit card numbers, genetic data cannot be changed. A data breach involving genomic information has permanent implications:
- Health risk exposure: Predispositions to diseases like Alzheimer's, BRCA-linked cancers, or hereditary conditions can affect insurance eligibility and employment in jurisdictions without strong protections
- Family linkage: An individual's genetic data inherently reveals information about biological relatives — people who never consented to share their data
- Law enforcement use: Genetic genealogy databases have been used to identify suspects in criminal investigations, raising concerns about compelled disclosure
The 23andMe breach underscored that genetic testing companies are handling one of the most sensitive categories of personal data that exists — yet many operated under the same security standards as general consumer software.
Regulatory Implications
The 43-state coalition settlement sets a significant precedent for state-level enforcement of genetic data privacy. Several states have enacted specific genetic information privacy laws beyond HIPAA's scope, and this settlement may accelerate legislative efforts in states that lack such protections.
The FTC has also signaled increased scrutiny of health and genetic data practices under Section 5 of the FTC Act. Companies operating in the direct-to-consumer genetics space should expect continued regulatory pressure.
Recommendations for Consumers
If you have or had a 23andMe account:
- Enable multi-factor authentication immediately if still using the service
- Download your genetic data and review what is stored
- Delete your data if you no longer wish to use the service — look for account deletion options, not just profile deactivation
- Monitor for identity theft — name, date of birth, and location data exposed in the breach can be used in social engineering attacks
- Watch for class action notifications — a separate class action lawsuit was settled for $30 million in 2024; check if you are eligible for compensation