23andMe Settles with 42 States for $18 Million Over Data Breach
Genetic testing company 23andMe has agreed to an $18 million settlement with 42 state attorneys general over cybersecurity failures that led to a massive data breach.

Genetic testing company 23andMe has reached an $18 million settlement with a coalition of 42 state attorneys general, addressing significant cybersecurity failings that resulted in a data breach exposing the information of 6.9 million individuals. The agreement, announced Tuesday, also mandates new data protection measures for the 23andMe Research Institute, a nonprofit established by CEO Anne Wojcicki that absorbed the company's assets, including sensitive genetic data.
The settlement requires the 23andMe Research Institute to conduct regular risk assessments and appoint a dedicated board to oversee its data security practices. Furthermore, it reaffirms customers' rights to have their genetic samples destroyed and their personal data permanently deleted. This legal resolution stems from a data breach that 23andMe reportedly did not discover until months after it occurred in October 2023, with some of the stolen data subsequently appearing on the dark web.
According to a press release from New York Attorney General Letitia James' office, 23andMe initially denied the breach and later blamed consumers for account configurations and password usage. The multistate investigation, launched shortly after the breach, identified several critical security lapses. These included a lack of protections against credential stuffing attacks, insufficient intrusion prevention systems, inadequate logging and monitoring for breaches, and a failure to patch known vulnerabilities.
The company also reportedly neglected to monitor for atypical login patterns or conduct security testing on new design features. These revelations come after 23andMe filed for bankruptcy protection in March 2025. In June, a bankruptcy court approved a $47 million settlement fund for victims of the breach.
In July 2025, the 23andMe Research Institute, then known as the TTAM Research Institute, acquired 23andMe's assets for $305 million. This acquisition included the genetic data of customers who had not requested its destruction, as noted in a 2023 company press release. The institute has committed to adhering to 23andMe's privacy policy, which prohibits sharing data with employers, insurers, public databases, and law enforcement without a court order, subpoena, or warrant.
However, the institute continues 23andMe's practice of de-identified customer data sharing and selling for biomedical research purposes. This settlement highlights the ongoing challenges faced by companies handling sensitive personal and genetic information, emphasizing the need for robust security measures and proactive breach detection.
The substantial settlement and new security mandates underscore the severe consequences of inadequate cybersecurity practices, particularly when dealing with highly personal data like genetic information. It serves as a stark reminder for all organizations to prioritize and invest in comprehensive security frameworks to protect customer data from evolving threats.