Data breaches are becoming an all-too-common risk in today’s digital economy, and they often pave the way for major class action lawsuits. Companies that collect and store sensitive personal data—such as genetic, financial, or identifying information—have a legal duty to protect it from unauthorized access. When they fail to do so, affected individuals may be entitled to compensation through legal settlements. The recent case involving 23andMe is a significant example of how companies can be held accountable when they fail to meet these standards.
Data Privacy Is a Corporate Responsibility
In the digital age, companies are expected to protect consumer data with strong cybersecurity protocols. This is especially important for firms like 23andMe that manage highly sensitive DNA and ancestry data. When this information is exposed in a breach, it can lead to serious consequences, including identity theft, doxxing, discrimination, or even targeted harassment.
Unfortunately, when corporations cut corners or delay informing the public about a breach, the damage to both consumers and their trust is amplified. That’s exactly what happened in the 23andMe case.
Inside the 23andMe Data Breach
In October 2023, 23andMe confirmed a breach that originated from around 14,000 compromised user accounts. These accounts were then used to access the ancestry and personal information of nearly 7 million people via a feature called “DNA Relatives,” which shares genetic connections with other users.
Exposed data included:
- Full names
- Location data
- Family surnames and profile images
- Ancestry reports
- DNA matches
- Birthdates
The lawsuit filed in January 2024 alleges that 23andMe failed to secure its platform adequately and did not promptly disclose the extent of the breach. It also accuses the company of failing to inform users that those of Ashkenazi Jewish and Chinese descent may have been specifically targeted in the attack.
Settlement Details: What You Can Claim
Though the class action has been delayed due to bankruptcy proceedings, the terms of the proposed settlement offer financial compensation for affected users.
Here’s what class members may be eligible to receive:
| Expense Type | Maximum Payout | Requirements |
|---|---|---|
| Undocumented Expenses | Up to $500 | No proof needed, but must qualify |
| Documented Expenses | Up to $1,500 | Requires evidence of financial loss |
Eligibility Criteria
To qualify for a claim, you must meet all the following conditions:
- You were a U.S. resident as of August 11, 2023
- You were a 23andMe customer between May 1 and October 1, 2023
- You received a data breach notification from the company
- You experienced monetary losses or harm due to the breach
Important Dates
- Claim Deadline: July 14, 2025
- Final Settlement Hearing: Not yet scheduled (Pending resolution of bankruptcy proceedings)
Company Acquisition Delays the Payout
23andMe’s legal and financial future has been complicated by its bankruptcy filing. However, a recent deal announced that Regeneron Pharmaceuticals will acquire 23andMe for $256 million. The acquisition includes several key business lines, including the company’s Personal Genome Service, Total Health and Research Services, and its massive genetic biobank.
According to Regeneron, the move is intended to enhance genetic research capabilities and improve health outcomes, while continuing to offer consumers access to personal DNA insights.
Until this acquisition is finalized and bankruptcy proceedings are resolved, the court cannot schedule the final hearing, and no settlement funds can be distributed.
FAQs
How much can I receive from the settlement?
Up to $500 for undocumented expenses and up to $1,500 for documented losses.
Why haven’t payments been made yet?
The final court hearing is on hold due to 23andMe’s bankruptcy and pending acquisition by Regeneron Pharmaceuticals.
Was my data targeted because of my ancestry?
Reports allege that people with Ashkenazi Jewish or Chinese heritage may have been disproportionately affected in the breach.