Genetic testing company 23andMe will pay $30 million to settle a class-action lawsuit related to a data breach that compromised the personal information of millions of users.
Settlement Agreement
23andMe has reached a settlement in response to a class-action lawsuit filed over a significant data breach that occurred in 2023. The breach, which affected over 6.9 million of the company’s 14.1 million users, led to the exposure of sensitive personal information. The $30 million settlement aims to provide compensation to those affected and to offer enhanced security measures moving forward.
Under the settlement, which has been submitted for preliminary approval in a San Francisco federal court, affected customers will receive cash payments and gain access to a three-year security monitoring program known as *Privacy & Medical Shield + Genetic Monitoring*. This program is designed to provide ongoing protection and help guard against future security threats.
In its court filing, 23andMe described the settlement as “fair, adequate, and reasonable,” but also highlighted its financial difficulties as a factor in agreeing to the terms. The company has requested a temporary halt to other arbitration cases filed by class members until the settlement is finalized or they opt out.
Details of the Breach
The breach, disclosed in October 2023, was linked to a “credential stuffing” attack, where hackers used previously leaked login credentials to access user accounts. This attack exposed customer data, including names, birth dates, and ancestry information, especially affecting those who used the DNA Relatives feature to connect with family members.
The breach particularly targeted individuals of Chinese and Ashkenazi Jewish heritage, with their information appearing for sale on the dark web. This led to criticism that 23andMe failed to notify these specific groups adequately about the nature of the attack and the sale of their data.
Lawsuit and Financial Impact
In January 2024, affected customers filed a class-action lawsuit against 23andMe in San Francisco, accusing the company of inadequate data protection and poor notification practices. The lawsuit demanded compensation and called for stronger security measures.
The breach has had a severe impact on 23andMe, which was already facing financial challenges. The breach lasted from April to September 2023, affecting nearly half of the company’s customer base. Following the public disclosure of the breach, 23andMe’s stock price fell sharply.
CEO Anne Wojcicki’s attempt to take the company private earlier this year was rejected by a special committee last month, reflecting the financial strain on the company. The settlement agreement acknowledges these financial difficulties, noting that a higher judgment could be “uncollectable.”
Insurance Coverage
The company expects its cyber insurance to cover about $25 million of the $30 million settlement, which includes legal expenses. This support is crucial in mitigating the financial impact on 23andMe, but the company still faces uncertainties due to reputational damage and declining stock value.
The proposed settlement must receive final approval from the federal court before it can be implemented. Once approved, affected customers will be able to claim compensation and enroll in the security monitoring program.
This settlement marks a significant step in resolving the data breach issue for 23andMe. The company has committed to improving its security measures and rebuilding customer trust. As the court reviews the settlement, customers will be waiting to see if it provides both financial relief and enhanced protection for their personal data.