23andMe Data Breach Settlement

23andMe Data Breach Settlement Approved by Bankruptcy Judge for $46.75 Million

Follow Us:

Mirror Review

July 8, 2026

A U.S. bankruptcy judge approved the 23andMe data breach settlement for $46.75 million on July 7, 2026. The decision resolves a major class-action lawsuit from a 2023 cyberattack that exposed the genetic and personal data of nearly seven million customers, making it one of the largest healthcare data breaches in recent history. Bankruptcy Judge Brian Walsh finalized the agreement in St. Louis, Missouri, allowing the company to move forward with user compensation.

How the 23andMe Cyberattack Occurred in 2023

The roots of the 23andMe data breach payout go back to a series of cyberattacks that occurred between April and September of 2023.

Malicious actors used a technique known as credential stuffing. In these attacks, hackers take lists of usernames and passwords stolen from previous, unrelated data leaks on other websites and try them automatically on the 23andMe platform.

Because many people reuse the same passwords across multiple services, the hackers successfully broke into thousands of accounts.

Once inside, the hackers took advantage of features that connected family members. This allowed them to scrape deeper information from the databases, exposing the data of 6.9 million individuals.

The stolen data included names, birth years, self-reported locations, profile images, family trees, ethnic backgrounds, and detailed genetic health reports.

A joint international investigation revealed that 23andMe lacked basic security measures, such as mandatory multi-factor authentication or secure password protocols.

The DNA testing firm also failed to set up proper monitors to detect unusual data downloads or protect raw genetic profiles.

Understanding the 23andMe Data Breach Settlement Approval

Bankruptcy Judge Brian Walsh stated that the $46.75 million agreement is fair, equitable, and serves the best interests of the trust managed by the bankruptcy administrator. The settlement addresses the massive security failure from 2023 that compromised roughly half of the total customer base of 23andMe.

The total financial resolution incorporates the money that 23andMe has already distributed.

The court will reduce the final $46.75 million total by $14.29 million that was previously disbursed in connection with the cyberattack. This leaves an additional pool of $32.46 million available for distribution to eligible class members.

To qualify for compensation under this 23andMe settlement, individuals must meet specific criteria. Eligible members must have been customers between May 1, 2023, and October 1, 2023.

They must also have lived in the United States during that timeframe and received an official notice from 23andMe confirming that the breach compromised their personal information.

The Tiers of the 23andMe Data Breach Payout

The 23andMe settlement establishes different compensation levels depending on the severity of the damage that individual users experienced.

Plaintiffs designed the 23andMe lawsuit payout structure to cover both immediate financial losses and long-term privacy protection.

The table below outlines the specific benefits and cash amounts that valid claimants can receive:

Claim CategoryMaximum Compensation Details
Extraordinary ClaimsUp to $10,000 for documented, severe financial impacts
Health Information ClaimsUp to $165 for compromised genetic health data
Statutory Cash ClaimsAn estimated $100 payout for standard class members
Privacy & Medical Shield5 years of continuous genetic monitoring and identity protection

Even if users choose to do nothing, they still remain bound by the terms of the settlement. However, doing nothing means they forfeit their right to any direct cash reimbursement. Passive class members will only retain access to the five years of genetic monitoring and privacy shield services.

What is the 23andMe Settlement Payout Date?

Many affected customers want to know the exact 23andMe settlement payout date.

While the court granted final approval for the deal, the distribution of funds will not happen immediately. The official settlement administrator noted that payments will remain paused until the ongoing bankruptcy reconciliation process concludes. This financial resolution can take several months or potentially longer.

The window for submitting new claims has already closed.

The original class notice gave affected individuals until February 17, 2026, to file their forms. The deadlines for opting out of the class action or filing formal objections passed even earlier, on December 29, 2025.

Consequently, the settlement administrator is currently processing the claims that arrived before the deadlines.

The Slow Corporate Response and Financial Collapse

23andMe faced heavy criticism for how slowly it responded to the brewing crisis. The credential stuffing began in April 2023 and peaked in May.

In August 2023, public reports claimed that hackers stole data from over 10 million users. 23andMe dismissed these reports as a hoax, despite having already found unauthorized activity on its platform during isolated internal checks in July.

The full scale of the disaster only became clear in October 2023 when an employee discovered that hackers were selling the data on Reddit.

The financial fallout caused a swift decline for the business.

Faced with massive legal bills, intense market competition, and a sharp drop in consumer demand for genetic testing, 23andMe filed for Chapter 11 bankruptcy protection in March 2025.

Corporate Rebranding and International Penalties

To keep the service alive, a nonprofit group called the TTAM Research Institute purchased the assets of 23andMe for $305 million in July 2025.

Anne Wojcicki, the co-founder and former chief executive officer of 23andMe, controls this nonprofit. Following the completion of the sale, the corporate entity changed its official legal name to Chrome Holding Co.

The legal trouble for the brand extends far beyond standard class actions.

In June 2025, the UK Information Commissioner’s Office issued a formal fine of £2.31 million against the firm for failing to protect the genetic data of British citizens.

UK Information Commissioner John Edwards noted that a DNA breach is uniquely damaging because a person cannot change their genetic code like a password or credit card number.

In Canada, courts approved a parallel settlement offering Canadian residents up to CA$2,500 for documented out-of-pocket expenses caused by the cyberattack.

Ongoing State Lawsuits Against Chrome Holding Co.

Meanwhile, the 23andMe business faces severe pressure from state regulators in the US.

California Attorney General Rob Bonta filed a separate lawsuit against Chrome Holding Co. in the San Francisco Superior Court, seeking millions of dollars in civil fines.

Bonta accuses the firm of ignoring clear system vulnerabilities and intentionally downplaying how bad the breach actually was.

Chrome Holding Co. asked the bankruptcy court to block Bonta’s state lawsuit from moving forward.

Attorney General Bonta pushed back, arguing that the U.S. Congress never intended for bankruptcy courts to act as a haven for wrongdoers or strip state courts of their power to enforce consumer protection laws.

Moreover, Judge Walsh has not yet ruled on whether to halt California’s regulatory action.

End Note

The final judicial approval of the 23andMe data breach settlement, worth $46.75 million, provides a path to compensation for millions of affected users, the actual distribution of cash remains tied up in complex bankruptcy proceedings.

Consumers must wait for the corporate asset reconciliation to conclude before they see their payments.

More importantly, the ongoing state lawsuit from California ensures that Chrome Holding Co. will remain under intense legal scrutiny for past security failures long after the class-action funds go out.

Maria Isabel Rodrigues

Share:

Facebook
Twitter
Pinterest
LinkedIn
MR logo

Mirror Review

Mirror Review publishes well-researched news, blogs, and industry insights across business, finance, technology, leadership, and emerging markets. Backed by editorial research and trend analysis, our contributors focus on delivering accurate, relevant, and timely content for professionals, decision-makers, and industry enthusiasts.

Subscribe To Our Newsletter

Get updates and learn from the best

[uael-template id="22417"]
MR logo

Through a partnership with Mirror Review, your brand achieves association with EXCELLENCE and EMINENCE, which enhances your position on the global business stage. Let’s discuss and achieve your future ambitions.