The 23andMe data breach settlement offers affected customers three main categories of benefits: direct cash payments of up to $10,000 depending on your circumstances, five years of specialized genetic and identity monitoring through CyEx, and specific statutory payments for residents of states with genetic privacy laws. The total settlement fund stands at $50 million for U.S. class members after being increased by $20 million during 23andMe’s bankruptcy proceedings, covering approximately 6.4 million people whose data was compromised between May and October 2023. For most class members who did not suffer direct financial losses, the monitoring package is the primary benefit — and notably, it kicks in automatically even if you never file a claim.
The settlement, which received final approval from U.S. Bankruptcy Judge Brian C. Walsh on January 20, 2026, resolves more than 40 class action lawsuits stemming from a credential-stuffing attack that exposed personal and genetic data. The claim deadline was February 17, 2026, so if you missed it, your options for cash payments may be limited — though the monitoring benefits still apply.
Table of Contents
- What Cash Benefits Does the 23andMe Settlement Offer and Who Qualifies?
- How Does the CyEx Genetic Monitoring Program Work?
- Who Counts as a Class Member in the 23andMe Settlement?
- Filing an Extraordinary Claim — What Proof Do You Actually Need?
- What Happens After 23andMe’s Bankruptcy and Acquisition?
- How the 23andMe Settlement Compares to Other Major Data Breach Settlements
- What 23andMe Class Members Should Expect Going Forward
- Frequently Asked Questions
What Cash Benefits Does the 23andMe Settlement Offer and Who Qualifies?
The settlement created three distinct cash payment tiers, and the amount you can receive depends entirely on your specific situation. At the top end, extraordinary claims pay up to $10,000 for class members who can document actual out-of-pocket losses from the breach — things like unauthorized charges on accounts, costs of identity fraud remediation, expenses for purchasing security systems, or even treatment costs for mental distress caused by the exposure of genetic data. This is not a flat payment; you need receipts, statements, or other proof submitted with your claim form, and the final amount depends on what the settlement administrator approves. The middle tier covers health information claims, paying approximately $165 to class members who received specific notice that their health-related data was compromised. This is a meaningful distinction: not everyone in the breach had health data exposed, and 23andme sent targeted notifications to those who did.
If you received that particular notice, this payment was available to you without needing to prove any financial loss. The third tier provides roughly $100 in statutory cash payments, but only for residents of Alaska, California, Illinois, or Oregon — four states with genetic privacy statutes that provide for statutory damages regardless of whether you suffered actual harm. To put this in perspective, a California resident whose health information was specifically compromised could potentially claim both the $165 health information payment and the $100 statutory payment. Someone in Texas with no documented financial losses, on the other hand, would not qualify for any of the cash tiers, though the monitoring benefits would still apply. The gap between the maximum $10,000 extraordinary claim and the baseline $100 statutory payment is enormous, and it reflects the reality that most class action settlements reward documented harm far more generously than general class membership.
How Does the CyEx Genetic Monitoring Program Work?
The monitoring component of this settlement is arguably more unusual than the cash payments. Rather than contracting with a standard credit monitoring provider like Equifax or TransUnion — the kind of service that shows up in virtually every data breach settlement — 23andMe’s settlement includes a specialized program through CyEx that was built specifically for this case. The package includes five years of identity theft protection, medical data monitoring, VPN access, password protection tools, and dark web monitoring across 17 unique categories of sensitive data. What sets this apart from typical breach monitoring is the genetic data scanning component. CyEx monitors dark web marketplaces and forums specifically for genetic-related data tied to individual class members.
If your genetic information turns up for sale or trade, the service alerts you and connects you with a remediation specialist. The settlement administrators described this as including “multiple features that have never been provided to data breach or security incident victims,” which, even accounting for legal hyperbole, reflects the genuinely novel problem of genetic data being compromised at scale. However, if you are expecting this monitoring to somehow recall or delete your genetic data from wherever it has spread, that is not what it does. Monitoring tells you when compromised data surfaces — it does not prevent its misuse or put the genie back in the bottle. Genetic data is uniquely permanent; you cannot change your DNA the way you can change a password or freeze a credit file. The monitoring program is a detection tool, not a prevention tool, and class members should understand that distinction clearly.
Who Counts as a Class Member in the 23andMe Settlement?
The affected class includes approximately 6.4 million U.S. residents who were 23andMe customers between May 1, 2023 and October 1, 2023 and received notice that their personal information may have been compromised. There is also a separate $3.25 million settlement fund for Canadian class members, handled through its own process. If you had a 23andMe account during that window and received a breach notification — either by email or postal mail — you were a class member. One practical example worth noting: if you created a 23andMe account in 2019 but had not logged in or used the service in years, you were still a class member if your data was stored on their systems during the breach window and you received the notification.
The class definition hinges on the notification, not on active use of the service. Conversely, if you signed up after October 2023, you are not part of this settlement regardless of any concerns you might have about the company’s data practices going forward. The claim filing process ran through the official settlement website at 23andMeDataSettlement.com, administered by Kroll. Class members could also submit paper claims by mail. For those who did not file a claim by the February 17, 2026 deadline, the automatic enrollment in CyEx monitoring still applies — a relatively unusual provision that ensures even passive class members receive some benefit.
Filing an Extraordinary Claim — What Proof Do You Actually Need?
The $10,000 maximum for extraordinary claims sounds substantial for a data breach settlement, but qualifying for it requires real documentation. The settlement lists eligible out-of-pocket losses as including identity fraud costs, unauthorized charges, expenses for purchasing credit monitoring or security systems beyond what the settlement provides, and costs associated with treating mental distress caused by the breach. Each of these requires supporting evidence submitted alongside the claim form. For identity fraud, you would need police reports, bank statements showing unauthorized transactions, or correspondence with financial institutions. For mental distress treatment, you would need records from a licensed professional — therapy receipts, prescription costs, or similar documentation.
The tradeoff here is clear: the higher the amount you claim, the more scrutiny your submission receives from the settlement administrator. Someone claiming $200 in unauthorized charges with a bank statement faces a much simpler review than someone claiming $8,000 in combined fraud losses and therapy costs. It is also worth noting that the $10,000 figure is a cap, not a guaranteed payout. The actual payment depends on the total number of extraordinary claims filed and the pool of funds available after all claim categories are accounted for. If the extraordinary claims collectively exceed the allocated portion of the $50 million fund, pro rata reductions could apply, meaning everyone gets a proportional share rather than the full documented amount.
What Happens After 23andMe’s Bankruptcy and Acquisition?
The settlement’s path to approval was complicated by 23andMe filing for Chapter 11 bankruptcy in March 2025 — a development that threatened to derail compensation for breach victims entirely. In many bankruptcies, class action claimants end up at the back of the creditor line and receive pennies on the dollar or nothing at all. The fact that the settlement fund actually increased from $30 million to $50 million during bankruptcy proceedings is atypical and reflects the seriousness with which the court treated the genetic data exposure. The company was purchased for $305 million by a nonprofit organization led by former CEO Anne Wojcicki in July 2025. This acquisition raised its own set of concerns among privacy advocates, given that Wojcicki led the company during the period when the breach occurred.
For class members, the key practical question is what happens to their genetic data going forward under the new ownership structure. The settlement addresses the breach that already happened, but it does not impose specific requirements on how the reorganized company handles data in the future — that falls to whatever regulatory oversight and privacy policies apply going forward. One limitation class members should understand: the settlement resolves your legal claims related to the 2023 breach. By accepting benefits, you release 23andMe from further liability for this specific incident. If you believe your damages significantly exceed what the settlement offers, you would have needed to opt out before the deadline to preserve your right to pursue individual litigation — an option that carried its own risks and costs.
How the 23andMe Settlement Compares to Other Major Data Breach Settlements
For context, the Equifax data breach settlement in 2019 covered approximately 147 million people with a fund of up to $700 million, and most class members who filed claims received checks for under $10. The T-Mobile settlement in 2022 involved a $350 million fund for 76 million affected customers. By those benchmarks, the 23andMe settlement’s $50 million for 6.4 million class members represents a higher per-capita allocation, though actual individual payouts still depend heavily on which tier you fall into and how many people file claims.
The genetic monitoring component is what genuinely distinguishes this case. Standard data breaches involve Social Security numbers, email addresses, or financial data — all of which can be changed, frozen, or replaced. Genetic data cannot. That permanence is reflected in the settlement’s structure, which prioritizes ongoing monitoring over one-time cash payments for the majority of class members.
What 23andMe Class Members Should Expect Going Forward
For class members who filed claims by the February 17, 2026 deadline, the next step is waiting for the settlement administrator to process claims and distribute payments. Based on the timeline of similar settlements, cash payments typically begin arriving several months after the claim deadline closes, assuming no further appeals or complications. The CyEx monitoring should be active or activating for class members, and those enrolled should familiarize themselves with how the alerts work and what to do if genetic data is flagged.
Looking ahead, the 23andMe case is likely to influence how courts and regulators approach genetic data breaches in the future. The creation of a bespoke monitoring program with genetic scanning capabilities sets a precedent that may become the expected standard when DNA data is compromised. For consumers who use genetic testing services, this settlement is a reminder to understand what data these companies hold and what protections — legal and technical — exist if that data is exposed.
Frequently Asked Questions
How much money will I actually receive from the 23andMe settlement?
It depends on your situation. Most class members without documented financial losses will receive monitoring benefits only. Residents of Alaska, California, Illinois, or Oregon may receive approximately $100 in statutory damages. Those whose health information was specifically compromised may receive around $165. Only class members who can prove direct out-of-pocket losses from the breach can claim up to $10,000.
Do I need to file a claim to get the monitoring benefits?
No. Even class members who did not file a claim are automatically enrolled in the five-year CyEx Privacy & Medical Shield and Genetic Monitoring program. However, you did need to file a claim by February 17, 2026 to be eligible for any cash payments.
What makes the CyEx genetic monitoring different from regular credit monitoring?
Standard credit monitoring watches for misuse of financial data like Social Security numbers and credit accounts. The CyEx program adds specialized genetic data scanning that monitors dark web marketplaces for your specific genetic information being sold or traded — a capability that has not been part of previous data breach settlements.
Can I still sue 23andMe separately for the data breach?
If you accepted settlement benefits or did not opt out before the deadline, you released your legal claims against 23andMe related to this specific breach. The opt-out period has closed, so most class members are bound by the settlement terms.
When will cash payments be sent out?
The claim deadline was February 17, 2026, and the settlement received final approval on January 20, 2026. Payment distribution typically begins several months after the claims period closes, once the administrator has reviewed and processed all submissions.
Does 23andMe’s bankruptcy affect my settlement payment?
The settlement fund was actually increased from $30 million to $50 million during the bankruptcy process, and the court granted final approval in January 2026. The fund is set aside for class members, so the bankruptcy itself should not reduce your payment, though processing timelines may be affected.
Learn about the 23andMe settlement benefits on OpenClassActions.com.