Attorney General Jennifer Davenport Announces Multistate Settlement of Bankruptcy Claims Against 23andMe Over Genetic Data Breach
|
The settlement includes $150 million in allowed claims for states. Due to the finite amount of funds in the bankruptcy estate and numerous other claims, recovery is limited to $18 million but will be paid out of available bankruptcy funds immediately. Of the $18 million available to the states, New Jersey will receive nearly $410,000. In addition, 23andMe also agreed to a $46.75 million class-action settlement in the bankruptcy to provide relief to affected U.S. consumers who submitted claims by February 17, 2026. “For years, 23andMe took advantage of New Jerseyans and put their most sensitive data at risk. 23andMe obtained people’s DNA, failed to keep that sensitive genetic information secure, and then failed to tell consumers when a data breach occurred,” said Attorney General Davenport. “Today’s settlement holds 23andMe accountable for its misleading statements and its failure to protect the DNA profiles of customers. We will always stand on your side against corporations that mislead the public and endanger your privacy.” “Preventing a data breach is always better than letting one occur, especially when it comes to DNA data, the most sensitive type of information out there,” said Jeremy E. Hollander, Acting Director of the Division of Consumer Affairs. “As today’s settlement underscores, companies must act to protect consumers from a leak of their personal information.” In October 2023, direct-to-consumer genetic testing company 23andMe announced that it had discovered a data breach affecting 6.9 million consumers, including 148,585 in New Jersey. This data breach exposed a wide range of data about 23andMe customers, including in some cases genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web. 23andMe learned about the breach months after impacted personal information was publicly available. 23andMe first denied any breach had occurred. Then, once it confirmed the breach, it blamed consumers for how their accounts were set up or how passwords were used. 23andMe initially accepted no responsibility for the breach, which was particularly egregious considering 23andMe’s partnership with MyHeritage, which itself was compromised years prior to the breach, exposing thousands of credentials shared between the websites. In the immediate aftermath of the data breach, the attorneys general launched a multistate investigation and found that 23andMe engaged in unreasonable data security practices, including, but not limited to:
In March 2025, 23andMe filed for bankruptcy protection, and states subsequently filed claims related to the data breach investigation. As part of the bankruptcy proceedings, the assets – including 23andMe’s consumer data – were sold to TTAM Research Institute, a nonprofit formed by 23andMe founder and former CEO Anne Wojcicki. The terms of the sale included many information and data security requirements that likely would have been included in a settlement with 23andMe had it not filed for bankruptcy. Such terms included enhanced data security requirements, appropriate risk analysis, the addition of an advisory board, agreeing to be bound by comprehensive privacy laws without exception, and continuing to offer consumer deletion rights. These terms will ensure that TTAM Research Institute, now reregistered as 23andMe Research Institute, will be a safer custodian of genetic data moving forward. Attorney General Davenport joined the attorneys general of Alaska, Alabama, Arkansas, Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Michigan, Minnesota, North Carolina, North Dakota, New Hampshire, New Mexico, New York, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and West Virginia in today’s settlement. The State was represented in this matter by Deputy Attorneys General Mehnaz Rahim and Ethan B. Rubin, under the supervision of Data Privacy & Cybersecurity Section Chief Thomas Huynh and Assistant Attorney General Kashif T. Chand, within the Affirmative Civil Enforcement Practice Group of the Division of Law. Investigator Aziza Salikhova of the Office of Consumer Protection within the Division of Consumer Affairs conducted the investigation. |
More News from Raritan
- Affinity Federal Credit Union President’s Invitational Golf Outing Raises $254,000 for Community Grants and Member Relief Exceeding last year’s sum by over $40,000, these proceeds support the communities served by Affinity across New Jersey, New York, and Connecticut
- Leader of Violent Trenton Street Gang Sentenced to Life in Prison for Murder, Racketeering and Other Crimes The investigation revealed that the drug operation was run by GMB gang members, under the leadership of Willis.