Hereditary Hack: 23andMe’s $30M Settlement After 6.4 Million Stolen DNA Profiles Put Up for Sale on Dark Web

Stylized 23andMe Cybersecurity Art

The 23andMe data breach exposed 6.4 million customers' genetic information, leading to a $30 million settlement. Affected users can claim compensation and receive free identity protection services, while the company implements stricter security measures to prevent future breaches.

by
September 14, 2024

In early October 2023, leading direct-to-consumer genetic testing company 23andMe announced it had become aware that sensitive personal data of millions of customers was hacked. The stolen data, which was put up for sale on the dark web, included information derived from DNA testing like ancestry composition, health predispositions, and genetic traits.

This guide provides an in-depth look at the consolidated class action lawsuits filed against 23andMe in the wake of the data breach, the key legal issues, the proposed $30 million settlement, and what impacted customers need to know about their rights and potential recovery options.

1. Understand the Scope of the 23andMe Data Breach

    • Personal Data of 6.4 Million Compromised: 23andMe’s investigation determined a threat actor downloaded genetic data and personal info of approximately 6.4 million U.S. customers without authorization.
    • What Types of Info Was Exposed: The stolen data included name, ancestry reports, family tree info, health predispositions, traits, raw genetic data and more.
    • Hackers Targeted Sensitive Groups: Analyses of the dark web data found it contained genetic profiles of over 300K customers of Chinese descent and 1 million of Ashkenazi Jewish descent.
    • Fallout for 23andMe: 23andMe’s stock price plummeted on news of the breach as consumer trust was shaken and dozens of class action lawsuits were filed.
    • Regulatory Investigations Launched: The FTC, SEC and state attorneys general opened probes into 23andMe’s data security practices and representations to consumers.

Examples:

    • Mia, of Chinese heritage, was horrified to learn her 23andMe genetic data indicating elevated breast cancer risk based on BRCA mutations was now for sale to anyone on the dark web.
    • Andrew, an Ashkenazi Jew, couldn’t believe 23andMe allowed his family’s genetic data reflecting their ancestry to be hacked and publicized, making him feel exposed and vulnerable.
    • Carmen was furious 23andMe’s lax security practices led to criminals getting ahold of her raw genetic data and health predispositions that she considered highly private.
    • Joe, a 23andMe investor, watched in disbelief as the company’s stock tanked over 50% in the days after the breach, wiping out millions in shareholder value.
    • Reggie, an FTC investigator, was tasked with uncovering how 23andMe’s security measures failed so badly and whether it misled customers about data protections.

How It Affects You:

    • If you’re a 23andMe customer, your genetic data and personal info may have been compromised in the breach, exposing you to privacy violations and potential misuse of your sensitive data.
    • You may be a member of the class action lawsuits filed against 23andMe and eligible for compensation from the $30 million settlement fund.
    • You may want to take extra precautions to secure all accounts and monitor for signs of identity theft or fraud, as genetic data could be used as a biometric identifier.
    • Those with “anonymous” 23andMe profiles are still at risk, as genetic data itself can be used to re-identify people by cross-referencing with public databases.
    • As government agencies investigate 23andMe’s practices, additional regulatory action, penalties or mandated security changes may be forthcoming.

FAQs:

    • How do I know if my data was stolen in the 23andMe breach? 23andMe should have notified all impacted customers, but you can also contact their support channels to inquire about your data status.
    • What are the risks of my genetic data being exposed? Potential risks include genetic discrimination by insurers or employers, being re-identified even if your data was “anonymous,” and psychological distress from the privacy violation.
    • Can I trust 23andMe to keep my data secure going forward? 23andMe claims to be implementing robust security changes, but you have to decide your comfort level and if the service’s benefits outweigh the risks for you.
    • I want to delete my 23andMe data – how do I do that? 23andMe allows customers to delete their data, have their sample destroyed and close their account – visit the Privacy section of their website for instructions.
    • What if I’m not a 23andMe customer but my relative is? If your relative used 23andMe and opted into relative matching, some of your genetic data may be able to be inferred from theirs. Talk to your family about data sharing settings.

2. Dig Into the Details of the Class Action Lawsuits

    • Over 40 Class Actions Filed: After 23andMe announced the breach in October 2023, dozens of proposed class action lawsuits were quickly filed in state and federal courts across the country.
    • Common Claims Asserted: The suits generally alleged 23andMe failed to safeguard customers’ personal data, was deceptive about its security practices, and violated consumer protection and data privacy laws.
    • Specific Causes of Action: Claims included negligence, breach of contract, unjust enrichment, state genetic privacy act violations, state unfair competition and consumer protection law violations, invasion of privacy, breach of fiduciary duty, and more.
    • Consolidated in Federal MDL: In April 2024, the 40+ proposed class actions were consolidated into one federal multi-district litigation (MDL) in the Northern District of California to coordinate pre-trial proceedings.
    • Court Appoints Lead Counsel: Judge Edward Chen appointed an Executive Committee of three law firms to spearhead the litigation: Cari Laufenberg of Keller Rohrback L.L.P., Norman Siegel of Stueve Siegel Hanson LLP, and Gayle Blatt of Casey Gerry.

Examples:

    • The first class action against 23andMe was filed in the company’s home state of California just two days after the company announced the data breach.
    • A Florida class action alleged 23andMe “did not adequately safeguard users’ information, failed to timely notify users of the breach, and did not offer any remedy to Plaintiffs and Class Members.”
    • An Illinois suit claimed 23andMe violated the state’s Genetic Information Privacy Act, which allows statutory damages of $2500 per person for negligent violations and $10,000 for willful ones.
    • The many overlapping class actions created the need for an MDL to oversee and organize them, promote efficiency, and avoid inconsistent pre-trial rulings.
    • The appointed Lead Counsel have decades of experience successfully prosecuting complex consumer class actions and data breach cases.

Key Allegations Against 23andMe:

    • Inadequate Data Security – 23andMe failed to use reasonable safeguards to protect the sensitive personal genetic data with which it was entrusted.
    • Delayed Breach Notification – 23andMe waited too long to alert customers that their data was breached, preventing them from taking timely mitigating actions.
    • Misrepresentations About Security – 23andMe deceived customers about the strength of its data security practices, which were not as robust as promised.
    • Violations of State Laws – The breach violated many state data breach notification laws, consumer protection laws, and state genetic privacy acts.
    • Unjust Enrichment – 23andMe unjustly enriched itself and inflated its valuation by charging for services while failing to spend adequately on data security.

FAQs:

    • How do I know if I’m included in the class action lawsuits? The class actions aim to cover all U.S. 23andMe customers whose personal info was compromised in the breach, so if you fall in that category, you’re likely included.
    • Where can I review the class action complaints? Many are available on online legal databases like Justia or PACER – try searching “23andMe data breach class action complaint.”
    • What’s the difference between the various lawsuits? The specific named plaintiffs and state laws cited vary, but the core facts and allegations are very similar across the many suits.
    • How long will the litigation take? Class actions can take years to resolve, but filing them quickly helps preserve claims and improves settlement leverage. The consolidated MDL should promote pre-trial efficiency.
    • What do the lawsuits aim to achieve? The goals are to hold 23andMe accountable for the breach, compensate customers for losses and distress, and force 23andMe to robustly improve its data security.

3. Analyze 23andMe’s Liability for Potential Claims

    • Negligence: To prove negligence, plaintiffs must show 23andMe had a duty to protect customer data, breached that duty by failing to use reasonable data security, and caused customers compensable harm.
    • Breach of Contract: Plaintiffs can argue 23andMe breached its Terms of Service contract with customers, which promised certain data security measures that 23andMe failed to deliver.
    • State Genetic Privacy Act Violations: Several states like Alaska, California, Illinois and Oregon have genetic privacy acts that provide a private right of action and statutory damages for unauthorized disclosures of genetic data.
    • State Consumer Protection & Data Breach Laws: All 50 states have data breach notification laws and consumer protection statutes prohibiting unfair and deceptive business practices that the 23andMe breach likely violated.
    • Unjust Enrichment: Plaintiffs can claim 23andMe unjustly enriched itself at their expense by failing to spend enough on data security while collecting fees and building its valuation on their data.

Key Factors Impacting 23andMe’s Liability:

    • Nature of the Data Breached – Genetic data is extremely sensitive, immutable, and has long-term value, increasing the duty to safeguard it, potential for misuse, and harm from disclosure.
    • Representations About Data Security – 23andMe’s privacy policies and marketing touted “industry standard” security, which plaintiffs can argue were deceptive if not delivered.
    • Reasonableness of Security Measures – Forensic analysis will scrutinize whether 23andMe used data security on par with industry standards given the sensitivity of data collected and wealth of company.
    • Evidence Data Was Exfiltrated & Misused – Reports the stolen data surfaced on the dark web supports that 23andMe’s systems were compromised and increases liability exposure.
    • Timing of Breach Notifications – A key issue is whether 23andMe notified customers and regulators of the breach as promptly as required by state notification laws.

Potential Damages for 23andMe Customers:

    • Actual Losses from Identity Theft or Fraud – Customers who suffer financial losses from misuse of their breached data can seek reimbursement.
    • Statutory Damages Under State Laws – Some state genetic privacy and consumer protection laws allow statutory damages of $1-10K per violation without proof of actual losses.
    • Emotional Distress – Plaintiffs can pursue compensation for anxiety, stress and distress from the hack of their intimate genetic information.
    • Time and Effort Mitigating Breach – Customers may be able to recover for time spent monitoring accounts, fixing issues and purchasing protective services after the breach.
    • Benefit of the Bargain Losses – Plaintiffs can seek compensation for not receiving the full data security they paid for as part of 23andMe’s service.

FAQs:

    • Does 23andMe admit fault or liability for the data breach? Not yet – 23andMe’s statements express regret about the incident but don’t admit to specific legal wrongdoing. The complaints will test those issues.
    • Will 23andMe claim the hack was an unforeseen crime it couldn’t prevent? Likely yes, but plaintiffs will argue 23andMe had a heightened duty to safeguard DNA data and should have anticipated threats.
    • How might 23andMe try to avoid or limit liability? It may point to liability waivers in its Terms of Service, argue plaintiffs lack standing or provable damages, or claim compliance with applicable laws.
    • Will the lawsuits be hard to prove without a forensic investigation? Detailed forensics would help, but complaints can sufficiently allege violations based on 23andMe’s statements and facts known so far to start the case.
    • What if 23andMe files for bankruptcy – will that limit its liability? Bankruptcy could pause the lawsuits and cap 23andMe’s liability at its available assets, but plaintiffs would still share in those assets as creditors.

4. Break Down the Proposed $30 Million Settlement

    • $30M Non-Reversionary Settlement Fund: 23andMe agrees to pay $30 million to settle the consolidated class action lawsuits, with no reversion of unclaimed funds back to the company.
    • Extraordinary Expense Reimbursement: Class Members can claim up to $10,000 for documented losses or expenses fairly traceable to the data breach.
    • Statutory Damage Payments: Residents of California, Illinois, Alaska and Oregon can claim an additional cash payment expected to be ~$100 each due to violations of state genetic privacy laws.
    • Health Information Breach Compensation: Class Members whose health info like medical reports, pharmacogenetics or health predispositions was breached get an extra $100 each.
    • Free Identity & Financial Monitoring: All Class Members are eligible for 3 years of free financial/credit monitoring and identity theft protection services.

Key Non-Monetary Settlement Terms:

    • Mandatory Two-Factor Authentication – 23andMe commits to make 2FA mandatory on all customer accounts within 6 months.
    • Enhanced Security Monitoring – 23andMe agrees to undertake external cybersecurity audits annually for 3 years to identify and remediate any security gaps.
    • Improved Employee Training – 23andMe will implement comprehensive cybersecurity and privacy training for all personnel with access to sensitive customer data.
    • Option to Delete Data – 23andMe will email all Class Members instructions on how to request permanent deletion of their data and biological samples from 23andMe.
    • Restrictions on Data Retention – 23andMe will shorten its default data retention periods and purge inactive customers’ data sooner to limit exposure.

What to Expect Next:

    • Preliminary Approval Hearing – The parties have filed a joint motion asking Judge Chen to grant preliminary approval of the settlement, with a hearing set for October 17, 2024.
    • Class Member Notifications – If preliminary approval is granted, all Class Members will receive direct email/mail notice about the settlement and how to file claims or opt-out.
    • Claim Filing Process – Class Members will have 90 days to file online claims for the cash payments and monitoring services and provide any required documentation.
    • Objections & Opt-Outs – Class Members who wish to object to or opt out of the settlement will have 35 days to file objections with the Court or submit opt-out requests.
    • Final Approval Hearing – A final approval hearing will likely be set in Q2 2025 for the Court to consider any objections and decide whether to grant final approval of the deal.

FAQs:

    • Who is eligible for benefits under the 23andMe settlement? The Class includes all U.S. 23andMe customers whose personal info was compromised in the breach announced in Oct. 2023.
    • How much money will Class Members likely receive? It depends on how many people file valid claims, but most Class Members can expect ~$100, with extra for those with documented losses or in certain states.
    • Is the settlement a good deal for consumers? The $30M fund, free monitoring, and security commitments represent a strong recovery given the challenges of proving harm from the breach.
    • Why would 23andMe settle instead of fight the lawsuits? Settlement avoids the risks and costs of drawn-out litigation, caps liability via the release, and allows 23andMe to move forward.
    • What happens if the Court rejects the settlement? If the deal is not approved, the parties would either renegotiate the terms to address the Court’s concerns or resume active litigation.

Summary

Colorful abstract representation of a hacker using a laptop

Did You Know? Over 30 million people have taken direct-to-consumer genetic tests like 23andMe’s DNA kits and entrusted those companies with their genetic data, making robust security for that sensitive information critical.

The theft and dark web sale of 23andMe customers’ genetic data represents a landmark cybersecurity and privacy incident. The breach compromised the DNA info, health insights and identities of over 6 million customers and shook consumer trust in the fast-growing genetic testing industry.

The dozens of class action lawsuits filed against 23andMe seek accountability and compensation for victims, alleging the company’s lax data security violated consumer protection laws, contracts, and privacy rights. While 23andMe contests liability, it has agreed to a $30 million settlement to resolve the claims.

Under the proposed deal, impacted customers can claim cash payments for documented losses, time and stress from the breach, with extra compensation available for genetic privacy law violations. All class members also get free credit monitoring and identity theft assistance.

Beyond the monetary relief, the settlement seeks to drive industrywide cybersecurity improvements, with 23andMe committing to implement multi-factor authentication, regular audits, enhanced employee training, and stricter limits on data retention and purging. Customers will also gain a clear path to request deletion of their data.

As the consolidated cases move through the settlement approval process, 23andMe customers and other genetic testing consumers should closely monitor the proceedings, understand their rights, and take steps to secure their sensitive health data. This historic settlement has major implications for the future of consumer genetic privacy.

Protecting Your Data and Beyond: Legal Resources for Various Needs

The 23andMe settlement highlights the importance of data privacy, but legal challenges can arise in many areas of life. Consider these steps to protect your personal and genetic data:

  • Regularly monitor your accounts for suspicious activity
  • Use strong, unique passwords for all online accounts
  • Be cautious about sharing personal information online
  • Stay informed about data privacy laws and your rights

 

For ongoing legal support in data privacy and beyond, LawInc offers connections to vetted attorneys across all states and practice areas, including:

  • Data privacy and cybersecurity
  • Consumer protection
  • Class action lawsuits
  • Personal injury
  • Business law
  • Intellectual property
  • Family law
  • And many more

 

Legal Help for all your legal needs, including data privacy and consumer protection.

Need legal guidance in any area? Contact LawInc to explore your options and get expert support.

Test Your 23andMe Data Breach Knowledge

Questions: 23andMe Data Breach 101

    • 1. How many 23andMe customers had their genetic and personal data exposed in the 2023 breach?
      • A) 640,000
      • B) 6,400,000
      • C) 64,000
      • D) 640
    • 2. Which groups did hackers appear to target in collecting breached genetic data?
      • A) People of Chinese descent
      • B) People of Ashkenazi Jewish descent
      • C) Both A and B
      • D) Neither A nor B
    • 3. What sensitive health information was compromised for some customers?
      • A) Health predisposition reports
      • B) Carrier status reports
      • C) Wellness reports
      • D) All of the above
    • 4. Where did the hackers post the stolen 23andMe customer data for sale?
      • A) The dark web
      • B) Facebook Marketplace
      • C) eBay
      • D) Amazon
    • 5. What happened to 23andMe’s stock price immediately following announcement of the data breach?
      • A) Rose 10%
      • B) Stayed the same
      • C) Fell over 50%
      • D) Was delisted from NASDAQ

Answers: 23andMe Data Breach 101

    • 1. B) 23andMe reported that approximately 6.4 million customers’ data was compromised in the breach.
    • 2. C) Analyses found the stolen dataset for sale contained info on over 1 million 23andMe users of Ashkenazi Jewish descent and over 300,000 of Chinese heritage.
    • 3. D) For some customers, the breach exposed sensitive health predisposition, wellness, and carrier status genetic reports.
    • 4. A) The hackers put the 23andMe customer data up for sale on the dark web, an anonymous part of the internet often used for illegal activity.
    • 5. C) 23andMe’s stock price plummeted over 50% in the days immediately following its announcement of the customer data breach.

Questions: Legal Issues & Settlement Basics

    • 1. How many class action lawsuits were filed against 23andMe relating to the data breach?
      • A) Over 10
      • B) Over 20
      • C) Over 30
      • D) Over 40
    • 2. What did the lawsuits generally allege 23andMe did wrong related to the data breach?
      • A) Failed to adequately safeguard customers’ personal data
      • B) Misrepresented its data security practices to customers
      • C) Violated data breach notice and consumer protection laws
      • D) All of the above
    • 3. What amount has 23andMe agreed to pay to settle the consolidated class actions?
      • A) $3 million
      • B) $13 million
      • C) $23 million
      • D) $30 million
    • 4. What is the maximum documented loss reimbursement amount available under the settlement?
      • A) $100
      • B) $1,000
      • C) $10,000
      • D) Unlimited
    • 5. How many years of free credit monitoring and ID theft protection does the settlement provide class members?
      • A) 1 year
      • B) 2 years
      • C) 3 years
      • D) 5 years

Answers: Legal Issues & Settlement Basics

    • 1. D) After the breach announcement, over 40 proposed class actions were filed against 23andMe in federal and state courts nationwide.
    • 2. D) The lawsuits accused 23andMe of failing to secure data, misleading customers about its practices, and violating data privacy and consumer laws.
    • 3. D) 23andMe has agreed to a $30 million non-reversionary settlement fund to resolve the consolidated class action litigation.
    • 4. C) The settlement allows class members to claim reimbursement of up to $10,000 for documented out-of-pocket losses related to the data breach.
    • 5. C) All settlement class members are eligible for 3 years of free credit monitoring and identity theft protection services.

Disclaimer

Class action settlement terms are subject to change and court approval. eligibility for benefits depends on factors unique to each class member’s situation. Please consult the official settlement website and/or an attorney for the most up-to-date information and to understand your specific rights.

If you believe your data may have been compromised in the 23andMe breach or have questions about participating in the settlement, please contact a qualified attorney.

Important Case Documents

Need Legal Help?

If you need legal assistance, in any field of law, our free concierge service can connect you with experienced attorneys in any practice area and state. Contact us to learn more.

Also See

Unfair ATM Fees? Get Your Money Back from Visa & Mastercard’s $197.5 Million Payout

BuzzFeed’s $9M Video Privacy Settlement: Are You Owed Cash & Free Subscription?

Cash App’s $15M Data Breach Settlement: Claim Your Cut ASAP

Oracle’s $115M Privacy Bombshell: How to Claim Your Share of the Historic Settlement

Facebooktwitterredditpinterestlinkedinmail