Press Release: 7/15/2026

AG Campbell Announces Multistate Settlement With 23andMe Over Genetic Data Breach

 



FOR IMMEDIATE RELEASE:



7/14/2026



MEDIA CONTACT



Allie Zuliani, Deputy Press Secretary



 Phone



Call Allie Zuliani, Deputy Press Secretary at (617) 727-2543



 Online



Email Allie Zuliani, Deputy Press Secretary at Allie.Zuliani@mass.gov



BOSTON — Massachusetts Attorney General Andrea Joy Campbell today joined a coalition of 42 attorneys general in announcing a settlement with the bankruptcy trustee for 23andMe, resolving allegations stemming from a 2023 data breach that compromised the genetic data of 6.9 million customers worldwide. The $18 million settlement amount will be paid out of available bankruptcy funds immediately. Of the $18 million, Massachusetts will receive $387,218. 23andMe also agreed to a $46.75 million class-action settlement in the bankruptcy case to provide relief to the affected U.S. consumers who submitted claims by February 17, 2026. 



“Consumers have a right to expect that the companies entrusted with their most personal information will protect it. This settlement reinforces security requirements for the remaining 23andMe data, maintains consumers’ right to delete their information, and makes clear that companies cannot cut corners when it comes to data privacy,” said AG Campbell. “I will continue to hold companies accountable when they fail to protect consumers and their sensitive information.”  



In October 2023, direct-to-consumer genetic testing company 23andMe announced that it had discovered a data breach in which 6.9 million consumers were affected, including at least 136,761 Massachusetts residents. This data breach exposed a wide range of data about 23andMe customers, including in some cases genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web.  



23andMe learned about the credential stuffing breach months after impacted consumer information was publicly available. 23andMe first denied that a breach occurred. Once it confirmed the breach, 23andMe initially blamed consumers for how their accounts were set up or how their passwords were used, despite knowing that a prior breach in 2017 of 23andMe’s former partner, MyHeritage, was likely to have already compromised many user accounts.    



In the immediate aftermath of the data breach, the attorneys general formed a multistate investigation, which found that 23andMe engaged in unreasonable data security practices, including, but not limited to:  




  • Failing to employ safeguards against similar attacks, including by comparing passwords against lists of known breached passwords or by requiring multifactor authentication;   

  • Failing to implement appropriate limitations on the number of login attempts over time;  

  • Failing to implement logging and monitoring or other tools likely to detect a data breach; 

  • Failing to appropriately investigate or address unusual login patterns, including, for example, massive spikes in login attempts;  

  • Failing to remediate known vulnerabilities; and 

  • Failing to properly review and test design features. 



In March 2025, 23andMe filed for bankruptcy protection, and states subsequently filed claims related to the data breach investigation. The Attorney General’s Office issued a Consumer Advisory in connection with this filing, informing consumers of steps they could take to protect their information. As part of the bankruptcy proceedings, 23andMe’s consumer data was sold to TTAM Research Institute, a non-profit formed by 23andMe’s founder and former CEO. The terms of the bankruptcy sale included obligations like enhanced data security requirements, appropriate risk analyses, addition of an advisory board, and agreement to be bound by comprehensive privacy laws and to continue offering consumer data deletion rights. These terms—which likely would have been included in a settlement with 23andMe had it not filed for bankruptcy—help ensure that the data purchaser will be a safer custodian of genetic data moving forward.    



In addition to general consumer protection and privacy laws, individuals are also protected under the Commonwealth’s genetic privacy law (Gen. L. c 111, § 70G), which prohibits commercial genetic testing companies from divulging genetic information records “without informed written consent.”  



This matter was handled by Assistant Attorney General Young Jun Choi and Division Chief Jared Rinehimer, of the Attorney General’s Privacy and Responsible Technology Division. 



Joining AG Campbell in filing this settlement are the attorneys general of Alaska, Alabama, Arkansas, Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Maryland, Maine, Michigan, Minnesota, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and West Virginia.  



###