Victims of the 2023 data breach at 23andMe will receive USD$46.75 million in compensation after a California bankruptcy judge approved a settlement on Tuesday.
The ruling requires Chrome Holding, which acquired control of the genetics testing company through bankruptcy proceedings, to fund the payment for people affected by the cyberattack.
Additionally, the court ordered the money transferred to Kroll Restructuring within five business days. Kroll will distribute the settlement funds directly to eligible victims. The company suffered widespread criticism after hackers exposed sensitive genetic information belonging to about 6.9 million people.
The attackers initially compromised roughly 14,000 customer accounts but later accessed millions of additional profiles through relatives connected to those accounts, greatly expanding the breach’s impact. However, the court documents did not specify how many people will ultimately receive compensation. The BBC said it contacted lawyers representing the victims for that information.
Chrome Holding acquired 23andMe after the company entered bankruptcy and later transferred its assets to TTAM Research Institute, an organization operated by co-founder Anne Wojcicki following a successful USD$305 million bankruptcy auction bid.
Meanwhile, 23andMe filed for bankruptcy about 18 months after the cyberattack occurred. The company collects DNA samples through consumer testing kits and creates detailed genetic profiles for customers.
Those profiles can include information about ancestry, inherited traits, health markers and family relationships.
Furthermore, regulators concluded the company failed to adequately protect that sensitive information before the breach occurred, leading to investigations and financial penalties in multiple jurisdictions. Britain’s Information Commissioner’s Office fined the company GBP£2.31 million after determining its security measures fell short.
Read more: Robotic hand maker Tesollo initiates IPO proceedings
Read more: Regeneron Pharmaceuticals gets access to biometric data for 15 million people
Multiple privacy concerns remain about DNA testing services
Additionally, California Attorney General Rob Bonta sued the company in May, alleging investigators found weak data protection practices. 23andMe continues selling DNA testing kits despite its financial troubles has never reported an annual profit.
Privacy concerns surrounding consumer DNA testing services have intensified since the 2023 cyberattack at 23andMe. Experts warn that genetic information presents unique risks because it cannot be changed like a password or credit card number.
The breach exposed data belonging to roughly 6.9 million people after hackers initially gained access to about 14,000 customer accounts. After which, they expanded their reach through the company’s DNA Relatives feature. Bonta has become one of the most vocal public officials on the issue. Bonta further urged customers to exercise their rights under California law by deleting their genetic data and requesting the destruction of any stored DNA samples. He warned that the company held a large volume of sensitive personal information. He also reminded consumers that state privacy laws allow them to request its deletion.
Privacy scholars have also questioned whether current laws adequately protect genetic information held by direct-to-consumer testing companies. I. Glenn Cohen, faculty director of the Petrie-Flom Center at Harvard Law School, argued that customers who submit DNA to companies like 23andMe are generally treated as consumers rather than patients. This means that federal health privacy laws such as HIPAA do not fully apply. He and other researchers have called for stronger federal safeguards covering genetic data. This is particularly salient for when companies face bankruptcy or asset sales.
.