23andMe users could be eligible for data breach settlement

After a data breach affected around half of its customers, family ancestry company 23andMe has agreed to a $30 million settlement — and users could be eligible to receive a payout in the future.

23andMe is a DNA testing company that provides users with ancestry, genetics and health information. Users can also connect with potential family members through DNA matches on the site after receiving their testing results.

The data of 6.9 million users was compromised in the attack, and stolen data was sold, including a dataset of people with Chinese and Ashkenazi Jewish heritage who appeared to have been specifically targeted, the HIPAA Journal reported.

“Under the terms of the settlement, individuals whose data was compromised are entitled to receive a share of the settlement fund after litigation costs and attorneys’ fees have been deducted,” the Journal said.

A class-action lawsuit was filed against 23andMe in January after the data breach happened in 2023, accusing the company of inadequately protecting user data, failing to notify affected parties in time and other complaints, USA Today reported.

“We believe threat actors were able to access certain accounts in instances where users recycled login credentials — that is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously hacked,” 23andMe wrote on its website at the time, USA Today said.

The data breach involved unauthorized access to user accounts through credential stuffing, rather than a cyberattack on the 23andMe platform, according to the HIPAA Journal.

Approximately 5.5 million of the 6.9 million affected were users who opted into 23andMe’s “Relatives” feature, which connects people to those with similar DNA, according to USA Today, and another 1.4 million had their family tree information accessed.

The data that was accessed contained personal and family information, USA Today said, including:

• Display name
• How recently they logged into their account
• Their relationship labels
• Their predicted relationship and percentage DNA shared with their DNA Relatives matches
• Their ancestry reports and matching DNA segments, specifically where on their chromosomes they and their relative had matching DNA
• Self-reported location (city/zip code)
• Ancestor birth locations and family names
• Profile picture, birth year

The company admitted to no wrongdoing as part of the agreement to pay $30 million to affected parties.

“We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident,” 23andMe told USA Today in a statement.

As part of the proposed settlement, which still requires preliminary court approval, the company will provide as much as $10,000 to qualifying customers, as well as various security services, CNET reported.

Under the terms of the settlement, the HIPAA Journal said class members may submit claims for the following:

• An extraordinary claim for up to $10,000 to recover unreimbursed costs and expenditures related to the security incident. The costs can include losses due to identity theft, falsified tax returns, the costs of physical security or a monitoring system purchased in response to the security incident, and unreimbursed costs associated with professional mental health counseling or treatment as a result of the security incident. A cap of $5 million has been placed on these claims.
• If a resident of Alaska, California, Illinois, or Oregon at the time of the breach, submit a statutory cash claim for $100, per the genetic privacy laws in those states.
• If health information was compromised, submit a claim for a $100 cash payment.
• All class members can enroll in Privacy & Medical Shield + Genetic Monitoring, which incudes a password manager, medical record monitoring, and anti-phishing protection.

There is no way to apply for a payment as of yet as part of the proposed settlement, CNET said.