23andMe has reached a $30 million settlement to resolve a lawsuit related to a data breach that exposed the personal information of 6.9 million customers. The 23andMe data breach, which unfolded over approximately five months starting in April 2023, has prompted the company to also offer three years of security monitoring to affected individuals.
This settlement aims to address accusations that 23andMe failed to adequately protect its customers’ privacy and did not inform certain groups that their data was specifically targeted by hackers. The legal resolution, which was preliminarily filed in federal court in San Francisco late Thursday, is pending final approval from the judge.
Massive Settlement in 23andMe Data Breach Case
The proposed settlement includes cash payments to customers whose data was compromised, alongside enrollment in a Privacy & Medical Shield + Genetic Monitoring program for three years. This program is designed to provide ongoing protection and monitoring in response to the 23andMe data breach.
23andMe has described the settlement as fair, adequate, and reasonable in a Friday court filing. The company also noted its “extremely uncertain financial condition” and requested that the judge pause arbitrations by tens of thousands of class members until the settlement is either approved or they choose not to participate. The company believes that this settlement is in the best interest of its customers and anticipates that approximately $25 million of the settlement costs will be covered by its cyber insurance.
The 23andMe cyberattack affected nearly half of the 14.1 million customers in the company’s database at the time. Hackers accessed 5.5 million DNA Relatives profiles, which allow customers to connect and share information, as well as data from 1.4 million customers using the Family Tree feature.
Response to the 23andMe Cyberattack
The plaintiffs’ lawyers have indicated that the settlement addresses the core issues raised by their clients and reflects the risks associated with further litigation, especially given 23andMe’s financial struggles. The company reported a loss of $69.4 million on revenue of $40.4 million for the quarter ending June 30.
In response to these financial pressures, 23andMe’s co-founder and Chief Executive Anne Wojcicki has been attempting to take the company private, following its initial public offering at $10 per share. Since mid-December, the company’s shares have been trading below $1.
The case, titled In re 23andMe Inc Customer Data Security Breach Litigation, is being heard in the U.S. District Court for the Northern District of California under case number 24-md-03098. The plaintiffs’ legal team may seek up to 25% of the settlement amount in legal fees.