If you were a 23andMe customer whose data was compromised in the October 2023 breach, you are eligible for five years of free credit monitoring and genetic data protection through the $30 million class action settlement, regardless of whether you filed a cash claim before the February 2026 deadline. The monitoring package, estimated at roughly $1,875 per person over the full term, is provided by CyEx and includes identity theft protection, medical data monitoring, dark web surveillance, genetic fraud alerts, and even a VPN. Enrollment remains open right now and will stay open throughout the entire five-year service period.
The settlement, which received final approval from the U.S. Bankruptcy Court for the Eastern District of Missouri on January 20, 2026, covers approximately 6.4 million U.S. residents whose personal and genetic information was stolen.
Table of Contents
- Who Qualifies for Free Credit Monitoring in the 23andMe Data Breach Settlement?
- What Does the 23andMe Credit Monitoring Package Actually Include?
- How the 23andMe Bankruptcy Complicates Cash Payments
- Steps to Take Right Now If You Were Affected by the 23andMe Breach
- Why Genetic Data Breaches Carry Longer-Term Risks Than Financial Breaches
- What Happened to Your Genetic Data After the 23andMe Sale
- Looking Ahead — Genetic Data Privacy After the Settlement
- Frequently Asked Questions
Who Qualifies for Free Credit Monitoring in the 23andMe Data Breach Settlement?
Eligibility comes down to three requirements. You must have been a 23andme customer between May 1, 2023 and October 1, 2023. You must have resided in the United States during that period. And you must have received a data breach notification from 23andMe. If you meet all three criteria, you are a class member entitled to enroll in the credit monitoring program at no cost. There is no separate application or claim form required beyond enrollment with CyEx.
One important distinction that many people miss: the cash claim deadline of February 17, 2026 has already passed, but the credit monitoring benefit operates on a completely different timeline. Even if you never filed a cash claim, you can still sign up for the monitoring. Think of a customer who deleted their 23andMe account in frustration back in late 2023 and ignored the settlement notices. That person can still enroll today and receive the full remaining duration of monitoring coverage. The settlement website at 23andmedatasettlement.com has enrollment instructions and will continue accepting new enrollments for the duration of the five-year service window. If you are unsure whether you received a breach notification, check the email address associated with your 23andMe account, including spam and trash folders. 23andMe sent notifications to all affected users, and that notification is your confirmation of eligibility.
What Does the 23andMe Credit Monitoring Package Actually Include?
The monitoring program goes well beyond what you typically see in data breach settlements. Standard breach settlements usually offer one or two years of basic credit monitoring through a major bureau. The 23andMe settlement provides five years of what is branded as “Privacy & Medical Shield + Genetic Monitoring,” reflecting the unusual nature of the stolen data. The provider, CyEx, was specifically established to serve affected 23andMe customers, which is notable because most settlements contract with existing monitoring firms like Experian or Equifax. The package bundles several layers of protection: traditional identity theft protection, medical data monitoring that watches for unauthorized use of your health information, dark web monitoring that scans for your compromised data appearing in underground marketplaces, a VPN for encrypted browsing, password protection tools, and identity theft insurance. The genetic fraud alert component is particularly unusual. Because the breach exposed genetic information, ancestors’ birth locations, and family tree data, there is a risk category that standard credit monitoring simply does not address.
Someone could theoretically use genetic data for insurance fraud, synthetic identity creation, or targeted phishing that references your health predispositions. However, it is worth understanding a limitation. No monitoring service can prevent your genetic data from being misused. What CyEx does is alert you if indicators of misuse surface. If someone opens a medical account using your information or your genetic data appears in a dark web listing, you get notified. But the data itself, once stolen, cannot be recalled or changed. Unlike a credit card number, you cannot get new DNA.
How the 23andMe Bankruptcy Complicates Cash Payments
23andMe filed for Chapter 11 bankruptcy in March 2025, which added an unusual layer of complexity to a settlement that was already in progress. The company’s assets, including the genetic data of millions of customers, were purchased by TTAM Research Institute, a nonprofit led by co-founder Anne Wojcicki. The $30 million settlement fund was established before the bankruptcy filing, but the bankruptcy proceedings have created uncertainty about payment timelines for cash claims. For class members who filed cash claims before the February 17, 2026 deadline, there were three tiers of compensation. Extraordinary claims allowed up to $10,000 for documented out-of-pocket losses such as identity theft expenses, fraud-related costs, credit monitoring you purchased yourself, or mental health counseling directly tied to the breach.
Health information claims provided up to $165 if your health data was specifically accessed. And statutory cash claims offered approximately $100, but only to residents of Alaska, California, Illinois, or Oregon, states with privacy statutes that provided additional legal grounds. The practical reality is that payment distribution may take several months due to the bankruptcy proceedings. Bankruptcy courts have their own processes and priorities, and class action settlement distributions must work within that framework. If you filed a cash claim, patience is required. The credit monitoring benefit, by contrast, is available immediately through enrollment and is not dependent on the bankruptcy timeline.
Steps to Take Right Now If You Were Affected by the 23andMe Breach
Your first action should be enrolling in the CyEx monitoring program if you have not already. Visit 23andmedatasettlement.com for enrollment details. Do this even if you already use a credit monitoring service through another breach settlement or a paid subscription. The genetic monitoring component is not something you will find in standard services, and stacking monitoring from multiple providers gives you broader coverage without any additional cost. Second, consider what data was actually compromised in your case. The breach exposed names, genders, dates of birth, ancestors’ birth locations, family tree information, profile pictures, geographic locations, and genetic information. Some of this data, like your name and date of birth, is already widely available through other breaches.
But your genetic information and detailed ancestry data represent a unique exposure. If you shared DNA Relatives results with other users on the platform, the exposure may extend further than your own profile. Weigh this against the monitoring tools available to you. The CyEx package covers medical data monitoring and genetic fraud alerts, which directly address the most sensitive categories. Standard credit freezes at the three bureaus, which are free and separate from this settlement, protect against new account fraud using your personal identifiers. Third, if you missed the February 17, 2026 cash claim deadline, there is unfortunately no mechanism to file a late claim. The deadline was firm. But the credit monitoring, valued at roughly $1,875 over five years, represents the larger per-person benefit anyway, and that remains fully available to you.
Why Genetic Data Breaches Carry Longer-Term Risks Than Financial Breaches
Most data breaches expose financial information: credit card numbers, Social Security numbers, bank account details. These are serious, but they are also changeable. You can get a new credit card, freeze your credit, and monitor for unauthorized accounts. The damage has a shelf life because the compromised data can be replaced. Genetic data is different. Your DNA does not change. The ancestry information, health predispositions, and family connections exposed in the 23andMe breach are permanently compromised.
This is why the five-year monitoring period, while longer than the typical one or two years offered in financial breach settlements, may still be insufficient for the full scope of risk. Genetic data could be exploited years or even decades from now as genetic testing becomes more integrated into insurance underwriting, employment screening, or healthcare delivery. Federal protections like the Genetic Information Nondiscrimination Act (GINA) prohibit the use of genetic information in health insurance and employment decisions, but GINA does not cover life insurance, disability insurance, or long-term care insurance. Someone with access to your genetic data could potentially use it against you in those contexts. The warning here is straightforward: do not assume the risk ends when the monitoring period expires in 2031. After the five-year window closes, you will need to evaluate whether to continue monitoring your medical and genetic data exposure on your own. Keep records of everything related to this breach, including your notification email, any claim confirmations, and your CyEx enrollment details.
What Happened to Your Genetic Data After the 23andMe Sale
When TTAM Research Institute, the nonprofit led by Anne Wojcicki, purchased 23andMe’s assets out of bankruptcy, the acquisition included customer genetic data. This raised immediate concerns among privacy advocates and affected customers. Your genetic information is now held by a different entity than the one you originally consented to share it with. If you want to request deletion of your data, you should contact TTAM Research Institute directly and review the updated privacy policy on the 23andMe platform.
For example, a customer who signed up for 23andMe in 2022 agreed to that company’s privacy terms. The bankruptcy sale transferred those data assets to a nonprofit with its own governance structure and mission. While Wojcicki has stated that protecting customer data remains a priority, the legal and organizational context has changed. Class members should not assume that their original consent agreements carry over identically. Reviewing your data rights under your state’s privacy laws and considering a deletion request is a reasonable precaution, independent of the settlement benefits.
Looking Ahead — Genetic Data Privacy After the Settlement
The 23andMe settlement is likely to set a benchmark for how genetic data breaches are handled in future litigation. The $30 million fund, the five-year monitoring period, and the creation of a dedicated monitoring provider in CyEx all represent a more strong response than what most data breach settlements have offered historically. But the case also highlights a gap in existing law. Genetic data does not fit neatly into the regulatory frameworks designed for financial or healthcare information, and Congress has yet to pass comprehensive federal privacy legislation that would address these gaps.
For consumers, the lesson extends beyond this particular breach. Any time you provide genetic data to a company, you are accepting a risk that current law may not fully protect you against. The 23andMe settlement provides meaningful remedies for this specific incident, but the broader question of who controls your genetic information, and what happens when a company holding that data goes bankrupt, remains largely unresolved. If you are a class member, use the benefits available to you. Enroll in the monitoring, document any suspicious activity, and stay informed through the official settlement website at 23andmedatasettlement.com as payment distributions proceed over the coming months.
Frequently Asked Questions
Can I still get credit monitoring if I missed the cash claim deadline?
Yes. The cash claim deadline of February 17, 2026 has passed, but credit monitoring enrollment through CyEx remains open for the entire five-year service period. You can enroll at any time regardless of whether you filed a cash claim.
How do I know if I am eligible for the 23andMe settlement?
You must have been a 23andMe customer between May 1, 2023 and October 1, 2023, resided in the United States during that period, and received a data breach notification from 23andMe. Check the email associated with your account, including spam folders, for the notification.
Why is the credit monitoring provider CyEx instead of a major company like Experian?
CyEx was specifically established to serve 23andMe breach victims. Unlike generic credit monitoring services, CyEx includes genetic fraud alerts and medical data monitoring tailored to the type of data compromised in this particular breach.
I live in California. Am I entitled to extra compensation?
Residents of Alaska, California, Illinois, and Oregon were eligible for statutory cash claims of approximately $100 under state privacy laws. However, the deadline to file those claims was February 17, 2026 and has passed. You are still eligible for the credit monitoring benefit.
When will cash payments be sent out?
Payment distribution may take several months due to 23andMe’s bankruptcy proceedings, which are being handled by the U.S. Bankruptcy Court for the Eastern District of Missouri. Check 23andmedatasettlement.com for updates on distribution timelines.
What should I do if I see signs of identity theft related to this breach?
Contact CyEx through the monitoring platform to use the identity theft insurance included in your coverage. File a report with the FTC at IdentityTheft.gov. Place fraud alerts or credit freezes with Equifax, Experian, and TransUnion. Document all expenses, as those who filed extraordinary claims could receive up to $10,000 for documented losses.
You Might Also Like
- Capital Health Data Breach Settlement: Who Gets Credit Monitoring And For How Long
- SiriusXM Robocall And Telemarketing Settlement: Who Gets Credit Monitoring And For How Long
- 23andMe Customer Data Security Breach Settlement: What Happens If You Miss The Deadline