The breach began in April 2023 and persisted for five months, compromising genetic and personal data of an estimated 6.9 million users globally. The hacker accessed 5.5 million DNA Relatives profiles and 1.4 million Family Tree users, then listed the data for sale on the dark web. The incident triggered 23andMe's bankruptcy last year, after which Chrome Holding assumed control of the company.
This settlement follows a separate July 7 ruling by U.S. Bankruptcy Judge Brian Walsh approving a $46.75 million payout for individual breach victims—a net additional $32.46 million after prior distributions. The multistate agreement represents a distinct enforcement action by state governments to recover damages and enforce consumer privacy protections, supplementing the individual class-action settlement.
Attorneys handling consumer privacy litigation or representing clients affected by genetic data breaches should monitor how states coordinate enforcement against companies in bankruptcy. The dual-track settlement structure—individual victims plus state recoveries—may establish a template for future mass data breach litigation involving sensitive personal information.