Overview
- A bipartisan coalition of 42 state attorneys general announced a settlement on Tuesday that requires 23andMe to pay $18 million to resolve state-law claims tied to the October 2023 breach.
- The settlement includes state-by-state allocations such as about $705,000 for New York, roughly $491,902 for Pennsylvania, and about $410,000 for New Jersey with other states receiving set shares based on impacted users.
- The multistate deal is separate from a $46.75 million class-action pool tied to 23andMe’s bankruptcy that remains under court administration for distribution to claimants.
- As part of the enforcement, attorneys general won specific security and consumer protections including mandated risk analyses, required multifactor authentication and monitoring, an advisory board to oversee safeguards, and a retained right for consumers to delete their genetic data.
- The settlement follows findings that a hacker directly accessed about 14,000 accounts while 23andMe’s networked features exposed profile and genetic-linked information for millions and it reflects wider concern about the immutability and identifiability of genetic data after the company’s 2025 bankruptcy and sale of data to TTAM Research Institute.