23andMe reaches $30m settlement after data breach impacts millions

The genetic testing and ancestry company 23andMe has agreed to a $30 million settlement after a class-action lawsuit was filed against it for a security incident that compromised the personal information of 6.9 million users.

What happened

The data breach at 23andMe was first acknowledged by the company in October 2023. At the time, they revealed that threat actors had gained unauthorized access to approximately 14,000 user accounts, which represented just 0.1% of their total customer base. However, the full scope of the incident was not disclosed until December 2023, when 23andMe admitted that the ancestry data of 6.9 million individuals had been compromised.

The leaked information included a wide range of personal details, such as users' account information, locations, ancestry reports, DNA matches, family names, profile pictures, and birthdates. Additionally, the data breach impacted the family tree information of 1.4 million 23andMe customers.

Going deeper

The class-action lawsuit filed against 23andMe alleged that the company failed to adequately protect its users' personal information and did not notify affected parties in a timely manner. The lawsuit also claimed that the company neglected to inform certain users that data from individuals with Chinese or Ashkenazi Jewish heritage appeared to be specifically targeted in the breach.

As part of the proposed $30 million settlement, which is still pending judicial approval, affected users would be eligible for various forms of compensation including payments to cover expenses related to identity theft protection, physical security systems, and mental health treatment. Additionally, users living in states with genetic privacy laws would receive specific payments, and all affected individuals would be granted three years of access to advanced "Privacy & Medical Shield + Genetic Monitoring" services.

What was said

In a statement, 23andMe acknowledged the settlement agreement but admitted no wrongdoing. The company stated that it believes the settlement is in the best interest of its customers and that it looks forward to finalizing the agreement.

Notably, the company also revealed that approximately $25 million of the settlement and related legal expenses are expected to be covered by its cyber insurance policy.

Why it matters

The 23andMe data breach and ensuing legal action draw attention to concerns regarding the privacy and security of genetic information. With a growing number of people using genetic testing and ancestry services, safeguarding this data has become a pressing challenge. The breach exposed millions of users' personal details, revealing weak points in how this sensitive information is stored and handled. The $30 million settlement proves the financial and reputational damage that companies can face when security measures fall short.

FAQs

What is a data breach?

A data breach is an incident where sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. This can include personal information such as names, social security numbers, credit card details, and medical records. Data breaches can occur through various means, such as hacking, malware attacks, insider threats, or inadequate security measures.

Can legal action result from a data breach?

Yes, legal action can result from a data breach, as affected individuals or organizations may sue for damages caused by the breach.

How can healthcare organizations prevent data breaches?

Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular security training for employees, and using encryption to protect sensitive data. 

What should a healthcare organization do immediately after discovering a data breach?

Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.