The 2023 23andMe data breach and the legal case that followed have been settled, with attorneys general from 41 states, led by Delaware and Maryland, announcing an agreement with the now-shuttered genetic testing company’s bankruptcy team.
One of the largest and most consequential privacy failures involving consumer genetic data, the October 2023 breach exposed the personal information of 6.9 million customers worldwide. Scammers were able to access the company’s databases, which contained customer information, including family ancestries, names, addresses and contact information. Some of that data was later sold on the dark web, investigators reported.
State investigators accused 23andMe of failing to address the issue and promoting the idea that customers were responsible for the breach.
Thanks for subscribing!
The money news that actually matters.
By signing up, you accept Moneywise Terms of Use, Subscription Agreement, and Privacy Policy.
“23andMe learned about the breach months after impacted personal information was publicly available,” the Delaware Department of Justice stated in a media release. “They first denied a breach before later confirming it and then blaming consumers for how their accounts were set up or how passwords were used.”
For 23andMe victims, it’s all in the family
Data security experts say the 23andMe case stands out because it involved genetic information in addition to the usual data exposed in cyber breaches, such as names, dates of birth, contact information and Social Security numbers.
Unlike a stolen credit card number, genetic information is permanent. You can’t change your DNA, and the multi-state investigation focused heavily on that concern.
“Courts and federal and state governments should treat genetic data breaches much more distinctly than financial data breaches,” Larry Huttman, a personal injury litigation attorney at Florida-based law firm Farah & Farah, told Moneywise. “However, non-economic damages are always subject to non-objective measurement.”
In legal cases, damages involving biometric data don’t easily translate into dollar amounts. Genetic information can be priceless, and the impact of a breach can vary significantly from person to person.
“However, these attorneys general were making claims on behalf of the states, not the individuals, so class action compensation is not well designed to address these areas,” Huttman said.
Cybersecurity experts agree, noting that consumers cannot change their DNA the way they can cancel a stolen credit card or reset a password.
“It reveals lifelong health and insurance-related risks, ancestry details, and family connections without the consent of relatives,” digital identity protection expert Raj Ananthanpillai told Moneywise.
That creates unique risks that can last for generations. Settlement amounts, like those in the 23andMe case, may not fully reflect those lifelong harms, while bankruptcy proceedings can further reduce what victims ultimately receive.
“Stronger remedies such as higher statutory damages, mandatory impact assessments, and dedicated victim funds are needed to match the irreversible nature of the breach and provide fairer compensation,” Ananthanpillai said.
Must Read
- The ultra-rich use these 5 real estate strategies to build wealth while they sleep — you can start with just $100
- Here’s the average income of Americans by age in 2026. Are you keeping up or falling behind?
- Insurance companies profit most from drivers who auto-renew without shopping around. Comparing 100+ quotes takes 2 minutes and costs nothing
Join 250,000+ readers and get Moneywise’s best stories and exclusive interviews first — clear insights curated and delivered weekly. Subscribe now.
Unique inefficiencies mar the 23andMe case
The 23andMe breach may eventually be viewed as more than an isolated failure. Instead, it highlights broader weaknesses in how consumer DNA testing companies manage and protect highly sensitive information.
“The company failed to implement basic defenses against well-known threats such as credential stuffing despite the extraordinarily personal nature of the data involved,” Ananthanpillai said.
Weak security standards used by 23andMe also reflect broader industry complacency, where rapid growth, research partnerships and data sharing take priority over strict security protocols.
“Many firms in this space lack specialized safeguards tailored to biometric and genetic information,” Ananthanpillai said. “The incident underscores the need for elevated, mandatory standards that go well beyond general cybersecurity rules to prevent similar vulnerabilities across the sector.”
Key steps if you have stored family data
Consumers using genetic testing services should take extra precautions when sharing family information.
“A stolen card number is a hassle, but a bank can cancel the account and replace the card in days,” Paul Ferrara, senior wealth counselor at Toronto-based Avenue Investment Management, told Moneywise. “Genetic data doesn’t operate in the same way. The leaked genetic profile might come back out in the future for insurance purposes, family research.”
Ferrara advises clients to submit a written request for any data they want deleted rather than assuming an online form will erase it. He also recommends checking whether they reused passwords connected to the accounts.
“None of these will reverse the exposure, but they will limit the damage that can result from exposure,” he added.
You May Also Like
- JP Morgan sees gold hitting $6,000/oz before 2027 — and a Gold IRA lets you hold the physical metal while deferring the tax bill. Get your free guide from Priority Gold
- Dave Ramsey warns nearly 50% of Americans are making 1 big Social Security mistake — here’s what it is and the simple steps to fix it ASAP
- Thanks to Jeff Bezos, you can now become a landlord for as little as $100 — and no, you don't have to deal with tenants or fix freezers. Here's how
- Millionaires under 43 are reshaping investing — just 25% of their portfolios are in stocks. Here’s where their money is going
A former Wall Street bond trader, Brian O'Connell is the author of two best-selling books: “The 401k Millionaire” and “CNBC’s Creating Wealth.” His work is featured on national finance and business platforms like TheStreet.com, CBS News, CNN, The Wall Street Journal and Forbes.
