AG Jennings Announces Multistate Settlement of Bankruptcy Claims Against 23andMe over Genetic Data Breach


A multi-state settlement of bankruptcy claims against 23andMe has been reached by Attorney General Kathy Jennings and 42 other attorneys general across the country. Recovery is limited to $18-million because of the finite amount of funds in the bankruptcy estate – and numerous other claims. Delaware will receive $159,654. 23andMe also agreed to a $46.75-million class-action settlement in the bankruptcy to provide relief to affected US customers who submitted claims by February 17 of this year. Users of 23andMe’s services who have not already done so can request deletion of their data.

Additional information from AG Jennings:

Attorney General Kathy Jennings has announced a settlement with the bankruptcy trustee for 23andMe, resolving allegations stemming from a 2023 data breach that compromised the genetic data of 6.9 million customers worldwide.

“Today’s results show that my office will continue to hold companies like 23andMe accountable when they fail to safeguard sensitive personal data collected from Delawareans,” said Attorney General Kathy Jennings. “We’re going to keep using all of the tools we have, including vigorous enforcement of the Delaware Personal Data Privacy Act, to ensure Delawarean’s personal data is well-protected.” 
 
In October 2023, direct-to-consumer genetic testing company 23andMe announced that it had discovered a data breach in which 6.9 million consumers were affected, including 16,479 in Delaware. This data breach exposed a wide range of data about 23andMe customers, including in some cases genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web.  
 
23andMe learned about the breach months after impacted personal information was publicly available. They first denied a breach before later confirming it and then blaming consumers for how their accounts were set up or how passwords were used. 23andMe initially accepted no responsibility for the credential stuffing breach, which was particularly egregious considering 23andMe’s partnership with MyHeritage, an entity that was compromised years prior in an event that led to the exposure of thousands of credentials shared between the websites.  
 
In the immediate aftermath of the data breach, AG Jennings and the other 42 attorneys general formed a multistate investigation and found that 23andMe engaged in unreasonable data security practices, including, but not limited to:  
  • Failing to employ safeguards against credential stuffing attacks, including comparing passwords against blocklists of known breached passwords or requiring multifactor authentication;   
  • Failing to implement appropriate rate limiting or intrusion prevention;  
  • Failing to implement logging and monitoring or other tools likely to detect a data breach;  
  • Failing to appropriately investigate and/or address unusual login in patterns, including, for example, a massive spike in login attempts;  
  • Failing to remediate known vulnerabilities; and 
  • Failing to properly review and test design features.
     
In March 2025, 23andMe filed for bankruptcy protection, and states subsequently filed claims related to the data breach investigation.  As part of the bankruptcy proceedings, the assets – notably 23andMe’s consumer data – were sold to TTAM Research Institute, a non-profit formed by 23andMe founder and former CEO Anne Wojcicki.  The terms of the sale included many information and data security requirements that likely would have been included in a settlement with 23andMe had it not filed for bankruptcy.  Such terms included enhanced data security requirements, appropriate risk analysis, the addition of an Advisory Board, agreeing to be bound by comprehensive privacy laws without exception, and continuing to offer consumer deletion rights. These terms will make sure that TTAM Research Institute, now re-registered as 23andMe Research Institute, will be a safer custodian of genetic data moving forward.    
 
Delaware objected to the genetic data sale to TTAM Research Institute in the bankruptcy proceedings and only withdrew the objection after TTAM Research Institute agreed to additional data privacy protections and consumer rights to control their genetic data. Users of 23andMe’s services can request deletion of their data here. Delawareans can also learn more about their data privacy rights at privacy.delaware.gov.