The 23andMe customer data security breach class action settlement offered up to $30 million to roughly 6.4 million U.S. residents whose personal and genetic information was exposed in an October 2023 cyberattack. The primary claim submission deadline of February 17, 2026 has now passed, meaning most affected customers can no longer file for cash compensation.
However, if you were a late notice recipient who first learned of the settlement on or after January 5, 2026, you have until March 1, 2026 to submit your claim form through the official settlement website at 23andMeDataSettlement.com or by mailing your form to the Kroll Restructuring Administration LLC processing center in New York. For example, a customer in California who had both their genetic health reports and personal data compromised could have been eligible for a statutory cash payment of approximately $100 plus a health information payment of around $165, in addition to five years of free identity and genetic monitoring services. Even those who missed the cash claim deadline still retain access to that monitoring benefit.
Table of Contents
- What Does the 23andMe Data Breach Class Action Settlement Claim Form Require?
- How Much Money Can You Get From the 23andMe Settlement?
- How 23andMe’s Bankruptcy Affects Your Settlement Payment
- Steps to Take If You Already Filed a Claim
- What Happens If You Missed the Claim Deadline?
- The Scale of the 23andMe Data Breach in Context
- Looking Ahead for 23andMe Breach Victims
What Does the 23andMe Data Breach Class Action Settlement Claim Form Require?
The claim form for the 23andme data breach settlement asked eligible class members to verify their identity and confirm they were U.S. residents as of August 11, 2023 whose personal information was compromised in the breach. Depending on the compensation tier being claimed, filers needed to provide different levels of documentation. Those pursuing a basic statutory cash claim or the health information payment needed relatively minimal paperwork, while those seeking extraordinary damages of up to $10,000 had to submit receipts, statements, and other proof of unreimbursed out-of-pocket losses tied directly to the breach. Claims could be submitted in two ways: online through the official settlement portal at 23andMeDataSettlement.com or by printing and mailing a physical form to the Kroll Restructuring Administration LLC processing center.
The online method was straightforward and provided a confirmation receipt, while mailed forms needed to be postmarked by the deadline. Unlike some class action settlements that only require a name and email, the 23andMe form required claimants to specify which compensation category they were pursuing, which made it important to understand the tier structure before filing. One point that tripped up many claimants was the distinction between being notified that your account data was breached versus being specifically told that your health or genetic data was compromised. Only those who received a direct notification from 23andMe about health data exposure qualified for the higher $165 health information payment. Simply having a 23andMe account did not automatically place someone in that tier.
How Much Money Can You Get From the 23andMe Settlement?
The settlement established three distinct cash compensation tiers, each with different eligibility requirements and payment amounts. At the top, extraordinary claims allowed payouts of up to $10,000 for individuals who could document unreimbursed financial losses directly resulting from the breach. This included costs related to identity fraud, tax fraud, purchases of credit monitoring or security systems, and even mental health treatment sought because of the data exposure. However, if you could not provide receipts, bank statements, or other written proof of these expenses, your extraordinary claim would likely be denied or significantly reduced. The second tier, health information claims, offered a one-time payment of approximately $165 to individuals whom 23andMe specifically notified that their health or genetic data was compromised in the attack.
This is a narrower group than the full 6.4 million affected customers. The third tier, statutory cash claims of approximately $100, was limited to residents of Alaska, California, Illinois, or Oregon, the four states with genetic privacy statutes that provide additional legal protections for this type of data. However, if you lived outside those four states and did not receive a specific health data notification, your cash compensation options were limited to the extraordinary claims tier, which required documented losses. Every eligible class member, regardless of tier, was entitled to enroll in five years of free Privacy and Medical Shield plus Genetic Monitoring services through CyEx. This monitoring package includes identity theft protection, medical data monitoring, VPN access, password protection tools, and dark web monitoring, which represents a meaningful benefit even for those who did not qualify for a cash payment.
How 23andMe’s Bankruptcy Affects Your Settlement Payment
One of the most significant complications surrounding this settlement is that 23andMe filed for Chapter 11 bankruptcy in March 2025. The company, once valued at roughly $6 billion, had declined so dramatically that co-founder Anne Wojcicki purchased it for $305 million through a new nonprofit entity called TTAM Research Institute. This bankruptcy filing introduced uncertainty about whether and when settlement funds would actually reach claimants’ hands. The $30 million settlement fund was established before the bankruptcy filing and is expected to be legally protected from 23andMe’s general bankruptcy proceedings. This is an important distinction because it means the money was set aside in advance and should not be subject to claims by the company’s other creditors.
The U.S. Bankruptcy Court for the Eastern District of Missouri granted final approval of the settlement on January 20, 2026, which was a critical milestone. Despite that approval, payments have not yet been distributed. The settlement administrator has stated that disbursement will not occur until bankruptcy reconciliation is fully resolved, a process described as one that “is likely to take considerable time.” Current estimates suggest payments could begin 60 to 90 days after final resolution, assuming no appeals are filed. For claimants expecting a quick check in the mail, this timeline is a reality check. Settlement payouts in cases involving bankruptcy proceedings routinely take longer than standard class action distributions.
Steps to Take If You Already Filed a Claim
If you submitted your claim before the February 17, 2026 deadline, your next step is patience. The settlement administrator, Kroll Restructuring Administration LLC, will process all claims and determine eligibility before any payments go out. You should keep any confirmation emails or receipt numbers you received when filing, as these serve as your proof of submission if any disputes arise later. For those who filed extraordinary claims seeking up to $10,000, be aware that the review process for documented losses is more rigorous than for the flat-rate payments.
The administrator will evaluate whether your submitted documentation sufficiently proves that the expenses were unreimbursed and directly tied to the 23andMe breach rather than some other incident. By contrast, health information claims and statutory cash claims involve simpler verification since they are primarily based on whether you received a specific notification from 23andMe or reside in one of the four qualifying states. The tradeoff is clear: higher potential payouts require stronger proof, while the more accessible payments are smaller but far easier to collect. Regardless of which tier you filed under, you should also consider enrolling in the CyEx monitoring services if you have not already. The five-year monitoring benefit runs independently of the cash payment timeline, and given that your genetic data cannot be changed like a password or credit card number, ongoing monitoring for misuse of that information carries long-term value that arguably exceeds the one-time cash payments for many claimants.
What Happens If You Missed the Claim Deadline?
If you were an eligible class member and did not file by February 17, 2026, your options are now limited. The opt-out deadline of December 29, 2025 has also passed, which means you are bound by the terms of the settlement whether you participated or not. You have forfeited your eligibility for any cash payment under the extraordinary, health information, or statutory claims tiers. There is one narrow exception. If you are a late notice recipient, meaning you were first notified about the settlement on or after January 5, 2026, you have an extended deadline of March 1, 2026 to file your claim.
This extension exists because courts recognize that class members cannot reasonably be held to a deadline they did not know about. If you believe you fall into this category, file immediately and be prepared to demonstrate when you first received notice. The one benefit that remains available to all class members, even those who missed the filing deadline, is enrollment in the five-year CyEx monitoring package. Given that the breach exposed genetic information, which is permanently tied to your identity and cannot be reset, this monitoring service is not something to dismiss. Identity thieves who obtain genetic data can potentially use it for insurance fraud, medical identity theft, or other schemes that may not surface for years. Enrolling in the monitoring program is the single most important action remaining for anyone who missed the cash claim window.
The Scale of the 23andMe Data Breach in Context
The October 2023 breach affected approximately 6.4 million U.S. residents, representing roughly half of 23andMe’s entire customer base at the time. What made this breach particularly alarming was not just the volume of people affected but the nature of the data exposed.
Unlike a typical retail data breach involving credit card numbers or email addresses, the 23andMe attack compromised genetic and health information that victims cannot change or replace. For perspective, the original settlement was proposed at $50 million but was revised down to $30 million during bankruptcy proceedings. Even at that reduced figure, the per-person value remains notable when combining cash payments with the monitoring services. A California resident whose health data was compromised, for instance, could receive roughly $265 in cash plus five years of monitoring that would retail for several hundred dollars annually if purchased independently.
Looking Ahead for 23andMe Breach Victims
The road ahead for 23andMe settlement claimants depends largely on how quickly the bankruptcy reconciliation process concludes. With TTAM Research Institute, the nonprofit entity through which Anne Wojcicki acquired the company, now at the helm, questions remain about how the new ownership will handle ongoing data security obligations and the genetic data of millions of customers. State attorneys general and privacy advocates are expected to continue scrutiny of however that data is managed going forward. For claimants, the practical reality is a waiting game.
The $30 million fund exists, final court approval has been granted, and the claims have been collected. What remains is the administrative process of reconciling the settlement within the broader bankruptcy case. Anyone who filed a claim should monitor the official settlement website at 23andMeDataSettlement.com for updates on disbursement timelines and watch for communications from Kroll Restructuring Administration. The genetic privacy landscape is also shifting, with more states considering legislation similar to the genetic privacy statutes in Alaska, California, Illinois, and Oregon, which could provide additional protections and legal recourse for consumers in future breaches.