23andMe data breach class-action lawsuit: What it entails and what to know about $30M settlement

Around a year ago, 23andMe had a data breach that led to 6.9 million profiles being accessible. Now, the company has agreed to pay a $30 million settlement after a class-action lawsuit was brought against it.

In December 2023, the ancestry and genetics company reported that "threat actors" used about 14,000 accounts to access the ancestry data of 6.9 million. These hackers reportedly were able to secure user names and passwords that were used for 23andMe from other compromised websites that were the same, according to the company.

The leaked data contained users' account information, location, ancestry reports, DNA matches, family names, profile pictures, birthdates and more.

Here's a look at what the lawsuit included and how people can make a claim.

What did the 23andMe lawsuit entail?

According to reports from USA TODAY, a class-action suit was filed in January in San Francisco, accusing 23andMe of failure to amply protect users' personal information. The lawsuit also accused the company of neglecting to notify certain users that data from people with Chinese or Ashkenazi Jewish heritage appeared to be targeted in the breach.

What was exposed in the 23andMe data breach?

The accessed data contained personal and family information according to the company, including:

DNA relatives' profile information

  • Display name

  • How recently they logged into their account

  • Their relationship labels

  • Their predicted relationship and percentage DNA shared with their DNA Relatives matches

  • Their ancestry reports and matching DNA segments, specifically where on their chromosomes they and their relative had matching DNA

  • Self-reported location (city/zip code)

  • Ancestor birth locations and family names

  • Profile picture, birth year

  • A weblink to a family tree they created, and anything else they may have included in the “Introduce yourself” section of the profile

Family tree information

  • Display name

  • Relationship labels

  • Birth year

  • Self-reported location (city/zip code)

Did 23andMe claim any wrongdoing in the settlement?

No.

The $30 million settlement did not include any claims of wrongdoing by the company in this incident.

What are the terms of the 23andMe class action lawsuit?

Terms of the settlement include:

  • Payment to those affected by the security incident to cover expenses like those incurred fighting identity theft, installing physical security systems, or seeking mental health treatment

  • Payments to those living in states with genetic privacy laws

  • Payments to all those who had health information leaked

  • Three years of access to state of the art "Privacy & Medical Shield + Genetic Monitoring" for all settlement members who enroll

How do I make a claim in the 23andMe class-action lawsuit?

You'll have to wait a while before you can make a claim.

As of this week, a judge still needs to approve the settlement before any information will be released to those who can make a claim in this lawsuit.

"We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident," 23andMe told USA TODAY in a statement. "We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement."

Contributing: Amaris Encinas and James Powel, USA TODAY

This article originally appeared on Nashville Tennessean: 23andMe data breach lawsuit reaches settlement: Here's what to know