About

42 States Secure Multistate Settlement for 23andMe 2023 Genetic Data Breach

Published
Score
19

Why it matters

A coalition of 42 state attorneys general, led by Washington AG Nick Brown, announced a settlement with 23andMe's bankruptcy trustee on July 14 resolving claims over a 2023 data breach that exposed genetic data of more than 220,000 Washington customers. Washington will receive approximately $500,000 as part of the multistate agreement, which addresses the company's failure to safeguard sensitive user information.

The breach began in April 2023 and persisted for five months, compromising genetic and personal data of an estimated 6.9 million users globally. The hacker accessed 5.5 million DNA Relatives profiles and 1.4 million Family Tree users, then listed the data for sale on the dark web. The incident triggered 23andMe's bankruptcy last year, after which Chrome Holding assumed control of the company.

This settlement follows a separate July 7 ruling by U.S. Bankruptcy Judge Brian Walsh approving a $46.75 million payout for individual breach victims—a net additional $32.46 million after prior distributions. The multistate agreement represents a distinct enforcement action by state governments to recover damages and enforce consumer privacy protections, supplementing the individual class-action settlement.

Attorneys handling consumer privacy litigation or representing clients affected by genetic data breaches should monitor how states coordinate enforcement against companies in bankruptcy. The dual-track settlement structure—individual victims plus state recoveries—may establish a template for future mass data breach litigation involving sensitive personal information.

Sources

mail Subscribe to Privacy email updates

Primary sources. No fluff. Straight to your inbox.

Also on LawSnap