States Finalize 23andMe Data Breach Settlement, Securing Funds and Future Genetic Data Safeguards

State-by-state counts and payouts: Connecticut will receive $887,729; Delaware $159,654; New Hampshire $187,490 as part of the $18 million cap, with millions affected overall (CT 65,766; DE 16,479; NH 31,192) across the 6.9 million affected individuals.
Credential-stuffing breach and MyHeritage link: The multistate investigation cited unreasonable data-security practices, including failing to employ safeguards against credential stuffing, and noted 23andMe’s partnership with MyHeritage—an arrangement tied to prior credential exposures—along with initial denial and later blame of consumers for account setups.
TTAM Research Institute designated as the new data custodian: The settlement requires safeguards and compliance measures for TTAM Research Institute to manage the genetic data going forward.
Direct quotes reflecting accountability: Connecticut Attorney General William Tong stated, "23andMe collected the most sensitive genetic data imaginable from millions of Americans, and they failed to safeguard that data," underscoring the push for accountability in the bankruptcy resolution.
A coalition of 42 state attorneys general has reached an $18 million settlement with the bankruptcy trustee for 23andMe over a 2023 data breach that exposed the genetic and personal data of roughly 6.9 million customers, according to Oregon Department of Justice. The settlement resolves allegations that the company used unreasonable data-security practices and was slow to acknowledge the breach.
Because 23andMe is in bankruptcy, the states' total recovery is capped at $18 million — far below the $150 million in allowed claims — and will be paid out immediately, AOL reported. Separately, a $46.75 million class-action settlement is available to compensate affected U.S. consumers who file claims by February 17, 2026.
The 2023 attack used a technique called credential stuffing. That means hackers used usernames and passwords stolen from other sites to break into 23andMe accounts. Investigators found that 23andMe failed to put basic safeguards in place to block this kind of attack, according to Oregon Department of Justice.
The breach was made worse by 23andMe's partnership with MyHeritage, a genealogy service linked to prior credential exposures. When the breach became public, 23andMe initially denied responsibility and blamed customers for reusing passwords. Arizona Family reported that the multistate investigation found that response unacceptable.
The states jointly hold $150 million in allowed bankruptcy claims, but the bankrupt estate cannot cover that full amount. The actual payout is $18 million, split among the 42 states. Connecticut leads with $887,729, covering 65,766 affected residents. New Hampshire receives $187,490 for 31,192 residents. Delaware gets $159,654 for 16,479 residents, according to NCDOJ.
Connecticut Attorney General William Tong did not hold back in his criticism. "23andMe collected the most sensitive genetic data imaginable from millions of Americans, and they failed to safeguard that data," he said. The settlement money will be disbursed right away, giving states immediate — if limited — relief.
As part of the deal, a new entity called TTAM Research Institute will take over as the custodian of all 23andMe genetic data. The settlement requires TTAM to follow specific safeguards and compliance measures, according to Oregon Department of Justice. This is meant to protect customers whose data remains in the system after the company's collapse.
The agreement does not erase the data or give customers automatic deletion rights, but it puts binding rules on whoever holds it going forward. Regulators see this as a key protection given how sensitive DNA data is — it cannot be changed the way a password can.
Beyond the state settlement, affected customers may still get money directly. A separate $46.75 million class-action settlement is open to U.S. consumers whose data was exposed. The deadline to file a claim is February 17, 2026, KOLD reported. Customers should check whether they qualify before that date.
The multistate action shows that even in bankruptcy, companies face consequences for poor data security. Genetic data is among the most personal information a company can hold. Regulators made clear they will pursue accountability even when a company has already gone under.
Publishers
17
Articles
10
Reach
27