Beyond the typical rhythms of a data breach lawsuit, there is something very uneasy about the 23andMe story. Passwords, email addresses, and credit card numbers—sensitive but ultimately replaceable information—are involved in the majority of breaches. You alter your password. A card is cancelled. You go on. There is currently no legal precedent for what happened to 23andMe’s customers in the fall of 2023 because genetic data was taken. the type of data that remains constant. the type that cannot be reset or cancelled.
On October 6, 2023, the breach was made public. Hackers had employed a method known as “credential stuffing,” which basically involved using usernames and passwords taken from unrelated online breaches and comparing them to 23andMe accounts to determine which ones were successful. They used the DNA Relatives feature, which enables users to communicate with genetic relatives, once they were inside those accounts. Because they had chosen to share information with possible relatives, they were able to obtain data on millions of other users who had never had their own credentials compromised thanks to that feature. In the end, between 6.4 and 7 million Americans were impacted. Ancestry, family tree, health predisposition, and profile data were all collected into a breach that specifically targeted the company’s most sensitive database.
A $30 million settlement was ultimately reached after the ensuing class action lawsuits were consolidated in the Northern District of California. US claims closed on February 17, 2026, following final approval on January 30, 2026. Up to $10,000 for extraordinary documented harms, up to $165 for compromised health information, an estimated $100 in statutory damages, and five years of genetic and privacy monitoring services were all available to affected US residents who filed on time. It is difficult to put a monetary value on a category of personal information that has no real-world substitute, so it is difficult for courts to determine whether $100 sufficiently captures the harm of having your genetic profile exposed.
23andMe Lawsuit: $30 Million, a Bankruptcy, and 7 Million People’s DNA in the Middle of It All
| Category | Details |
|---|---|
| Company Name | 23andMe Holding Co. (now legally renamed Chrome Holding Co.) |
| Operating Entity | 23andMe, Inc. (now ChromeCo, Inc.) |
| Original HQ | Sunnyvale, California, USA |
| Service | Direct-to-consumer genetic testing and DNA ancestry analysis |
| Founded | 2006 |
| Co-Founder/Former CEO | Anne Wojcicki (resigned at time of bankruptcy filing) |
| Data Breach Date | Announced October 6, 2023 |
| Breach Method | Credential stuffing — using passwords leaked from other data breaches |
| Users Affected (US) | Approximately 6.4–7 million US residents |
| Data Compromised | Personal information, DNA Relatives profile data, health predisposition data |
| US Settlement | $30 million — Final approval granted January 30, 2026 |
| US Claims Deadline | February 17, 2026 (closed) |
| US Settlement Benefits | Up to $10,000 (Extraordinary Claims); up to $165 (Health Info Claims); ~$100 (Statutory); 5 years genetic monitoring |
| Canadian Settlement | US$3.25 million (~C$4.49 million) |
| Canadian Claims Period | March 27, 2026 — June 25, 2026 |
| Canadian Extraordinary Claim | Up to C$2,500 for documented out-of-pocket expenses |
| Bankruptcy Filed | March 23, 2025 — Chapter 11, Eastern District of Missouri |
| Asset Buyer | TTAM Research Institute (non-profit) — acquired for US$305 million, completed July 14, 2025 |
| US Settlement Court | U.S. Bankruptcy Court, Eastern District of Missouri |
| Canadian Settlement Court | BC Supreme Court — Case No. S-237147 / S-246520 |
When 23andMe filed for Chapter 11 bankruptcy in the Eastern District of Missouri in March 2025, the situation became much more complicated. With about 15 million customers’ genetic data stored in its systems, the company, which had been losing money for years and was having trouble coming up with a viable business plan outside of its spit-kit consumer product, resigned CEO Anne Wojcicki and filed for bankruptcy. State attorneys general across the nation acted swiftly to advise users to remove their data before any sale could transfer it to a new owner with different privacy obligations. What happens to extremely private biological data when the company that owns it files for bankruptcy and sells its assets is a gap in consumer protection law that few people had given much thought to.
When the non-profit TTAM Research Institute paid $305 million to acquire 23andMe’s assets in July 2025, that question was partially addressed. The company was formally renamed, with 23andMe Holding Co. becoming Chrome Holding Co. and 23andMe, Inc. becoming ChromeCo, Inc. This resulted in a somewhat confusing situation where the legal entity handling claims is now officially known as Chrome, but the settlement website for the 2023 breach still uses the 23andMe name. The renaming has very little practical impact on the millions of people whose data is involved.
The situation is still in effect for Canadian users. The BC Supreme Court approved a separate settlement of US$3.25 million, or roughly C$4.49 million, which is presently in its claims period, which runs from March 27, 2026, to June 25, 2026. Those who were 23andMe customers between May 1 and October 1, 2023, lived in Canada at the time, and were informed directly that their data was impacted are eligible Canadian claimants. A completed form and participation in a pro rata distribution of the settlement fund are the only requirements for ordinary claims. Up to C$2,500 may be awarded for extraordinary claims that cover verified out-of-pocket costs such as security monitoring fees or mental health counseling directly related to the breach. The Canadian settlement is noteworthy for another reason: it is purportedly the first instance of a Canadian class action claim being resolved in a US Chapter 11 insolvency proceeding, establishing a precedent for future cross-border cases.
As all of this has been going on for more than two years, there’s a sense that the 23andMe story caught something that the law hasn’t quite caught up with. Litigation pertaining to consumer data breaches is now well-established; all significant settlements have a similar structure. Genetic data, however, falls into a different category. It is irreversible, inherited, and can disclose details about the individual who supplied the sample as well as about their parents, kids, and biological relatives who never sent a kit to a lab in California or signed a terms-of-service agreement. The settlement amounts represent what attorneys and courts are able to accomplish within the confines of the current legal system. The legal system is still figuring out whether those frameworks are sufficient for this specific type of loss, which is a more difficult question.
