Canadians affected by the 23andMe privacy breach in 2023 can now claim up to $2,500 in compensation through a court-approved settlement worth approximately $4.5 million. If you were a 23andMe customer between May 1 and October 1, 2023, and your personal information was compromised in the breach that 23andMe disclosed in October 2023, you are likely eligible to file a claim.
The settlement, officially approved by the courts on March 16, 2026, provides financial compensation for those who incurred documented out-of-pocket expenses related to the breach—such as security monitoring services or mental health counselling—as well as a baseline payment for those without documented costs. Understanding the settlement details can make the difference between securing compensation and missing out entirely, as the claims window closes on June 25, 2026.
Table of Contents
- What’s the Total Settlement Amount and How Much Can You Claim?
- Which Expenses Qualify for the Maximum $2,500 Compensation?
- Who Is Eligible to File a Claim in This Settlement?
- How Do You File a Claim and What Documents Do You Need?
- What’s the Deadline and What Happens If You Miss It?
- What Is the Nature of the Data Breach That Led to This Settlement?
- Why Settlements Like This Matter and What’s Next?
What’s the Total Settlement Amount and How Much Can You Claim?
The 23andMe Canada privacy settlement totals US$3.25 million, which converts to approximately CAD$4.5 million. However, not all of this money goes directly to claimants. After deducting 33 percent in legal fees—a standard practice in class action settlements—the remaining funds are distributed among eligible class members. The amount each person receives depends on two factors: whether they can document out-of-pocket expenses related to the breach, and how many total claims are filed.
Eligible claimants with documented expenses can claim up to $2,500 CAD. For example, if you purchased identity theft monitoring services or credit freezing tools in response to the breach, you can submit receipts and documentation to claim back these costs. Those without documented expenses still qualify for compensation; the settlement administrator estimates this baseline payment at approximately $17.77 CAD per claimant. While the minimum payment may seem modest, it represents recognition that privacy breaches cause harm beyond just direct financial losses.
Which Expenses Qualify for the Maximum $2,500 Compensation?
To claim the higher compensation tier, you must document out-of-pocket expenses incurred between October 1, 2023, and March 31, 2024. The settlement specifically recognizes three categories of qualifying expenses. First, physical security or monitoring system purchases—this includes credit monitoring services like Equifax or Transunion monitoring, identity theft protection subscriptions, or security system upgrades for your home. Second, professional mental health counselling or treatment, recognizing that privacy breaches can cause genuine psychological harm.
Third, other documented out-of-pocket expenses directly related to the breach during that six-month period. However, there’s an important limitation: you must have receipts and documentation for these expenses. Simply claiming you spent money without proof won’t result in compensation. Additionally, the expense window is closed—any costs incurred after March 31, 2024, do not qualify, even if they were directly related to addressing the breach. This is why keeping receipts from the period immediately following the October 2023 disclosure is crucial.
Who Is Eligible to File a Claim in This Settlement?
You must meet all four eligibility requirements to qualify for compensation. First, you must have been a 23andMe customer during the specific window of May 1 to October 1, 2023—when the compromised accounts were created. Second, you must have been a Canadian resident at the time of the breach. Third, 23andMe must have notified you that your personal information was compromised in the October 2023 breach, which affected approximately 6.9 million users whose data appeared for sale on the dark web.
Fourth, you must not have actively opted out of the settlement. For context, the original breach occurred due to credential stuffing attacks where hackers used login information obtained from other breaches to access 23andMe accounts without proper two-factor authentication enabled. The breach exposed sensitive health and genetic data, which is why the settlement recognizes both direct expenses and psychological harm. If you received a notification email from 23andMe about the breach, you should be eligible.
How Do You File a Claim and What Documents Do You Need?
The settlement is being administered by Concilia Services Inc., which manages the claims process. You can file your claim through the official settlement website at canadian23andmesettlement.ca, or you can contact the claims administrator directly at 1-888-770-8437 or 23andMe@conciliainc.com. The website provides a claims form where you’ll need to provide your personal information, proof that you were a 23andMe customer during the eligible period, and if claiming documented expenses, receipts for those costs.
To maximize your claim, gather several key documents before filing. You’ll need your 23andMe account information or the notification email you received from the company about the breach, receipts for any qualifying expenses (bank statements, credit card statements, or invoices work well), and documentation of your residency status during the breach period. The process is straightforward if you have your documentation ready, but the deadline is firm—you must submit your claim by June 25, 2026, at 11:59 p.m. Pacific Time.
What’s the Deadline and What Happens If You Miss It?
The claims window closes on June 25, 2026, at 11:59 p.m. PT. This is not a flexible deadline—claims submitted even one minute after this time will not be accepted. Given that we are currently in March 2026, you have approximately three months to gather your documents and file.
If you miss this deadline, you forfeit your right to compensation from this settlement, and there is no appeals process or extension for late claims. One critical warning: don’t confuse this deadline with other dates. The settlement was officially approved on March 16, 2026, and the original settlement agreement was reached on September 5, 2025, but June 25, 2026, is the only deadline that matters for claimants. If you have documentation of eligible expenses, prioritize filing early rather than waiting until the last week. Settlement claims sometimes experience processing delays, and filing early ensures your claim is received before the deadline.
What Is the Nature of the Data Breach That Led to This Settlement?
In October 2023, 23andMe publicly disclosed that hackers had accessed approximately 6.9 million user accounts through credential stuffing attacks. This technique exploits previously compromised usernames and passwords from unrelated data breaches to gain unauthorized access to accounts at other companies. The personal data exposed included genetic information, family connections, health information, and other sensitive data that users had entered into the 23andMe platform.
The stolen data was subsequently offered for sale on the dark web, heightening privacy concerns. Notably, 23andMe did not admit guilt or liability as part of this settlement agreement, a standard legal provision that allows companies to settle without accepting responsibility. However, the company agreed to pay the settlement amount and implement improved security measures going forward. For claimants, the relevant fact is that 23andMe verified your data was compromised and notified you; whether the company admits liability is a legal distinction that doesn’t affect your eligibility or compensation amount.
Why Settlements Like This Matter and What’s Next?
The 23andMe settlement represents an important recognition that genetic and health data companies must be held accountable for security failures. As more people use direct-to-consumer DNA testing and health platforms, these companies hold increasingly sensitive personal information. When breaches occur, settlements like this one provide a mechanism for consumers to recover some of their losses and incentivize companies to improve security practices.
Moving forward, if you’re a 23andMe customer, review your account security settings, enable two-factor authentication, and monitor your accounts for suspicious activity. The lesson from this breach applies broadly: any company holding your genetic or health data should be viewed as a security-critical entity deserving of strong passwords and account protection measures. While settlements can’t undo the privacy violation, they provide financial recognition of the harm caused and help fund better security standards across the industry.