Pennsylvanians also to benefit from $46 million national class-action settlement
HARRISBURG – Attorney General Dave Sunday joined a coalition of 42 states announcing a $18 million bankruptcy claim settlement with genetic testing company 23andMe, resolving allegations stemming from a 2023 data breach that compromised the genetic data of 6.9 million consumers worldwide.
Pennsylvania will receive $491,902. Nearly 200,000 Pennsylvanians were impacted by the data breach.
In addition, 23andMe agreed to a $46.75 million class-action settlement in the bankruptcy to provide relief to affected U.S. consumers who submitted claims by February 17, 2026. Impacted consumers should have received an email from the class action notifying them of their eligibility to obtain funds from the settlement.
“This company was trusted by millions of Americans to safeguard very private data and information, but failed to do so, learning about a data breach far too late, then pointing fingers at their own customers,” Attorney General Sunday said. “I find it appalling that a company dealing with customers’ personal information would be so lax about their system protections, then have the audacity to deny and attempt to wash their hands of wrongdoing.”
In October 2023, 23andMe announced that it had discovered a data breach in which 6.9 million consumers were affected, including 192,093 in Pennsylvania. This data breach exposed a wide range of data about 23andMe customers, including in some cases genetic ancestry information, and subsets of this data were later published for sale on the dark web.
The company learned about the data breach months after impacted personal information was publicly available. At first, 23andMe denied a breach and then, once the breach was confirmed, the company blamed consumers for how their accounts were set up or how passwords were used. 23andMe initially accepted no responsibility for the cyberattack.
The cybercriminals used a tactic known as “credential stuffing” in which they attempt to brute force access to an account on a website, using a stolen password from another website that they believe might have been re-used on the targeted account. 23andMe’s data breach was particularly egregious considering 23andMe’s partnership with MyHeritage, which itself was compromised years prior to the breach, exposing thousands of credentials shared between the websites.
In the immediate aftermath of the data breach, the Attorneys General formed a multistate investigation and found that 23andMe engaged in unreasonable data security practices, including, but not limited to:
- Failing to employ safeguards against credential stuffing attacks, including comparing passwords against blocklists of known breached passwords, or requiring multifactor authentication;
- Failing to implement appropriate rate limiting or intrusion prevention;
- Failing to implement logging and monitoring or other tools likely to detect a data breach;
- Failing to appropriately investigate and/or address unusual login patterns, including, for example, a massive spike in login attempts;
- Failing to remediate known vulnerabilities; and
- Failing to properly review and test design features.
In March 2025, 23andMe filed for bankruptcy protection, and states, including Pennsylvania, subsequently filed claims related to the data breach investigation. As part of the bankruptcy proceedings, the assets – notably 23andMe’s consumer data – were sold to TTAM Research Institute, a non-profit organization formed by 23andMe founder and former CEO Anne Wojcicki.
The terms of sale included many information and data security requirements that likely would have been included in a settlement agreement with 23andMe had it not filed for bankruptcy. The terms included enhanced data security requirements, appropriate risk analysis, the addition of an Advisory Board, agreeing to be bound by comprehensive privacy laws without exception, and continuing to offer consumer data deletion rights. These terms will ensure that TTAM Research Institute, now reregistered as 23andMe Research Institute, will be a safer custodian of genetic data moving forward.
Attorney General Dave Sunday was joined in today’s settlement by the Attorneys General of Alaska, Alabama, Arkansas, Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Michigan, Minnesota, North Carolina, North Dakota, New Hampshire, New Jersey, New Mexico, New York, Ohio, Oklahoma, Oregon, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and West Virginia.
###