23andMe Data Breach Settlement: $30M Deal Covers Millions Whose Info Was Stolen
23andMe has agreed to pay a “carefully tailored” $30 million settlement to resolve more than 40 class action lawsuits filed in the wake of a massive data breach last year that allegedly saw scores of users’ personal, genetic and ancestry information sold on the black market.
Get the latest news on class action lawsuits sent to your inbox. Sign up for ClassAction.org’s free weekly newsletter.
The proposed 23andMe data breach settlement, submitted to the court on September 12, 2024, comes with the company in an “uncertain financial situation,” with plaintiffs’ attorneys informing the court that the defendant’s “challenging financial position presented extraordinary challenges” toward striking a deal to resolve the multidistrict litigation (MDL) over the October 2023 cyberattack.
According to court documents, the proposed settlement, which now awaits preliminary approval from the court, will provide relief for around 6.4 million 23andMe class members, including monetary reimbursement, cash payments for residents of certain states and individuals who had their health information compromised in the data breach, and three years of enrollment in a unique program with privacy-monitoring features designed specifically for the 23andMe settlement.
Read on to learn everything you need to know about the 23andMe data breach settlement, including who’s covered by the deal, how much money you might get, and what you need to do to file a 23andMe claim form for benefits.
Who’s covered by the 23andMe data breach settlement?
The proposed $30 million 23andMe data breach settlement covers all individuals who were residents of the United States on August 11, 2023 and whose personal information was compromised in the early-October 2023 23andMe.com data security incident, during which certain customer profile information was accessed without authorization.
What will the 23andMe settlement provide?
According to a memo submitted in support of the proposed deal, the 23andMe settlement will allow for eligible class members to file a claim for up to $10,000 in verifiable, unreimbursed costs related to the data breach.
Specifically, the settlement provides reimbursement for costs incurred “directly as a result of identity fraud or falsified tax returns” that a 23andMe user can establish as resulting from the data breach. The deal also provides reimbursement for costs linked to the purchase of physical security or monitoring systems that a user can establish were bought in response to the cyberattack. Lastly, 23andMe class members can file a reimbursement claim for costs related to seeking professional mental health counseling or treatment, the need for which the user must establish was the result of the data breach.
23andMe class members who were residents of Alaska, California, Illinois or Oregon, states that have genetic privacy laws with provisions for statutory damages, when the data breach occurred may file a claim for cash from the settlement. Per court documents, plaintiffs’ lawyers anticipate that users in these states may receive cash payments of around $100, depending on how many valid claims are filed.
In addition, court documents share that the “small number” of class members who had health information compromised in the 23andMe data breach can submit a claim for a $100 cash payment from the settlement.
Lastly, all 23andMe class members will be entitled to enroll in Privacy Shield, a monitoring program court documents say was “developed by experts in the field specifically for this case.” The program will be available to class members for three years and provides “substantial web and dark web monitoring” for 23andMe users.
How do I file a 23andMe claim form?
Consumers covered by the deal can file a 23andMe claim form for benefits online when the official settlement website — 23andMeDataSettlement.com — is launched. Claim forms can also be downloaded from the settlement site and mailed in to the settlement administrator.
However, before claims can be filed for compensation from the settlement, the court must decide whether to grant preliminary approval to the deal. Preliminary approval is essentially the first obstacle a proposed class action settlement must clear before consumers can receive any cash, rebates, or other settlement benefits.
A preliminary approval hearing is scheduled for October 17, 2024.
Don’t miss out: ClassAction.org will update this page if and when the official 23andMe settlement site goes live, and if and when the deal receives preliminary approval from the court, so be sure to check back often.
Check out ClassAction.org’s lawsuit list for the latest top class action lawsuits.
Does the settlement provide any other benefits?
In addition to cash payments and a monitoring program for 23andMe users impacted by the data breach, the company has agreed, as part of the settlement and at its own expense, to commit to “adopting, paying for, implementing and maintaining” certain safeguards to better protect users’ personal information. These commitments include, among other measures, enhanced password protection, mandatory multi-factor authentication, annual security awareness training and cybersecurity audits, and limits on the retention of inactive personal information.
Moreover, 23andMe will provide a link to where data breach settlement class members can have their information deleted by the company, court documents share.
Is this a good settlement?
From what the court was told by plaintiffs’ lawyers, it appears so, especially given the reportedly precarious nature of 23andMe’s balance sheet.
Want to learn how to start a class action lawsuit? We’ve got you covered.
Attorneys told the court that the 23andMe data breach settlement marks “an outstanding result” that maximizes the relief available from the genomics company and achieves “key relief” sought by the plaintiffs. Settlement documents state that the severity of the data breach combined with 23andMe’s “challenging financial position” posed challenges to achieving a deal “far beyond those in a typical data breach MDL.”
Plaintiffs’ attorneys summarized that 23andMe’s financial condition was “dire” even before the data breach, and that the company’s stock was trading at an all-time low of $0.30 per share as of September 10.
“Given 23andMe’s financial position, litigation exposure in this and other cases, and limited funds available, an early attempt at resolution was a rational path forward for the proposed Class,” plaintiffs’ counsel said.
How did we get here?
On August 11, 2023, a threat actor on the dark web claimed to have for sale samples of genetic data from 23andMe users, according to court documents. In early October of that year, the threat actor made the data available, including ethnicity details for one million 23andMe users of Ashkenazi Jewish heritage and more than 300,000 users of Chinese heritage.
For a small number of 23andMe users, the hacker also accessed information about their present or future health based on the analysis of their genetic data, self-reported health information, and uninterpreted genotype data, court documents say.
On October 6, 2023, 23andMe confirmed the genetic data theft, determining that the threat actor downloaded without authorization the information of roughly 6.4 million people in the U.S. According to court documents, the data that was accessed by the perpetrator varied but included for most users the personal information from their DNA Relatives or Family Tree profiles, which could include their name, sex, birth year, genetic information, location data, and more.
From there, more than 40 putative class action suits were filed against 23andMe over the data breach. The cases were centralized into multidistrict litigation in April 2024 in the Northern District of California.
Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.
Hair Relaxer Lawsuits
Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.
Read more here: Hair Relaxer Cancer Lawsuits
How Do I Join a Class Action Lawsuit?
Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?
Read more here: How Do I Join a Class Action Lawsuit?
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.