In June 2025, 23andMe moved to sell the genetic data of 15 million customers to a nonprofit company—without ever obtaining explicit consent from those customers to do so. This sale raised one of the most troubling questions in consumer privacy law: does a company have the right to monetize your DNA? The short answer is no, and that’s why 27 states and Washington D.C. filed a lawsuit to block the transaction. While a bankruptcy judge approved the sale to a nonprofit led by 23andMe co-founder Anne Wojcicki, the controversy highlights how little protection genetic data has under current law and how companies can use financial distress to bypass consumer consent.
This article explains the DNA data breach, the unauthorized sale attempt, the resulting class action settlement, and what customers should know about claiming compensation. The scandal stems from two separate but interconnected crises. First, in October 2023, cybercriminals hacked 23andMe and stole genetic information, names, birth years, and ancestry data from approximately 6.4 million customers—many of whom belonged to specific ethnic groups that hackers explicitly targeted on the dark web. Second, facing significant financial pressure, 23andMe attempted to sell its massive genetic database to third parties without customers ever agreeing to such sales. These failures triggered a $50 million class action settlement, but the core problem—that your DNA might be sold without your permission—remains unresolved.
Table of Contents
- What Did 23andMe’s October 2023 Data Breach Actually Expose?
- How Did 23andMe Get Permission to Sell Genetic Data Without Customer Consent?
- What Did the Class Action Settlement Actually Cover?
- Who Qualifies for the Settlement and What’s the Deadline?
- What Does the Five-Year Protection Plan Actually Do?
- Why Did 27 States Sue Over the DNA Data Sale?
- What Does This Case Mean for Genetic Privacy Going Forward?
What Did 23andMe’s October 2023 Data Breach Actually Expose?
On October 6, 2023, 23andMe announced that cybercriminals had accessed the personal information of 6.4 million U.S. residents through what the company called “credential stuffing”—a technique where hackers use stolen passwords from other websites to break into accounts without needing to exploit technical vulnerabilities. The breach specifically compromised data from customers who had opted into the DNA Relatives and Family Tree features, meaning hackers accessed not just genetic information but also the relative connections between users. This created a cascading privacy disaster: one person’s genetic data revealed information about their biological relatives, even if those relatives had never shared their own information with the hackers.
What made this breach particularly alarming was that cybercriminals didn’t access data randomly. They specifically targeted customers with Chinese and Ashkenazi Jewish ancestry, publicly posting stolen genetic information and personal details on the dark web. This wasn’t a blind attack; it was a deliberate targeting of specific ethnic groups. The criminals posted this data alongside family names, birth years, and location information—enough detail to enable harassment, discrimination, or other forms of harm. For many affected customers, this wasn’t just a privacy breach; it was an act of targeted discrimination based on genetic heritage.
How Did 23andMe Get Permission to Sell Genetic Data Without Customer Consent?
23andMe didn’t get explicit permission. That’s the central controversy. In June 2025, amid the company’s financial struggles, 23andMe initiated a plan to sell genetic data from 15 million customers to third parties for research purposes. The company claimed that customers had already provided broad consent through their terms of service, but 27 states and Washington D.C.
Disagreed, arguing that selling genetic data to unnamed third parties constitutes a material change in how data is used—a change that requires explicit, informed consent rather than burying permission language in a terms-of-service update. The bankruptcy court approved a sale on June 30, 2025, but with a critical restriction: the company could sell the data only to a nonprofit organization, not to for-profit pharmaceutical companies. The buyer was a nonprofit led by 23andMe co-founder Anne Wojcicki, which at least kept the data out of purely commercial hands. However, even this compromise faced fierce opposition from five states—California, Kentucky, Tennessee, Texas, and Utah—which continued arguing that customers should have been asked directly before their genetic information was sold, regardless of the nonprofit status of the buyer. The lesson here is important: even if a company’s legal team believes they have broad consent language in their terms of service, state attorneys general increasingly argue that genetic data is so sensitive that it requires explicit, separate permission before being sold to any third party.
What Did the Class Action Settlement Actually Cover?
In September 2024, 23andMe agreed to pay $30 million to settle the data breach claims from affected customers in Alaska, California, Oregon, and Illinois. This settlement was revised upward to $50 million when a bankruptcy court approved it in January 2026, reflecting the severity of the breach and the targeting of specific ethnic groups. The settlement covers anyone who is a 23andMe customer (or their relative) and received breach notification, affecting all 6.4 million United States residents whose data was compromised between May 1, 2023 and October 1, 2023. The settlement provides two major forms of protection. First, every eligible customer receives enrollment in a five-year Privacy & Medical Shield program plus a Genetic Monitoring program.
These programs include identity theft monitoring, dark web monitoring (to watch for your stolen information being sold), and genetic anomaly detection—a service that alerts you if your DNA has been associated with fraudulent use or if someone tries to impersonate you through genetic data. Second, customers with documented out-of-pocket losses can claim up to $10,000 in cash compensation. This means if you can prove you spent money responding to the breach—such as credit monitoring services, identity theft recovery, or medical costs related to having your genetic information exposed—you can be reimbursed, up to $10,000. However, there’s an important limitation: the $10,000 reimbursement requires proof of extraordinary losses. This doesn’t mean every customer automatically receives $10,000. You need documentation showing you actually spent money directly as a result of the breach.
Who Qualifies for the Settlement and What’s the Deadline?
You’re eligible for the settlement if you were a 23andMe customer at any point between May 1, 2023 and October 1, 2023, and you received a breach notification from 23andMe. You don’t have to be a U.S. resident (though the settlement applies to U.S. residents), but you do need to have had an active account during the vulnerable period.
If your DNA Relatives or Family Tree profile was exposed, or if someone you’re related to had their information stolen and you’re therefore identifiable through genetic connections, you may also have claim eligibility. The deadline to submit a claim is February 17, 2026—a date that has already passed as of the writing of this article. If you missed the deadline, you may still be able to file a late claim with written explanation of why your submission was delayed, but the court strongly encourages submitting before the deadline. The settlement website at 23andmedatasettlement.com provides claim submission tools, and you’ll need to provide basic information (your name, 23andMe account email address, and confirmation of your account status during the breach period). For claims seeking the $10,000 reimbursement, you’ll need to submit proof of your out-of-pocket losses—credit card statements, medical bills, or other documentation showing you spent money addressing the breach.
What Does the Five-Year Protection Plan Actually Do?
The Privacy & Medical Shield program and Genetic Monitoring service together form a comprehensive protection package designed to catch misuse of your genetic data before it becomes a major problem. The identity theft monitoring component watches credit bureaus and public databases for any signs that someone is using your information to open fraudulent accounts. Dark web monitoring actively searches illegal online marketplaces where stolen data is typically sold, alerting you if your 23andMe data surfaces in those spaces. Genetic monitoring, the most novel component, specifically tracks whether your genetic information appears in unusual contexts—such as law enforcement databases where you don’t expect it, or genetic databases you never authorized. The five-year timeline is important because it reflects the reality that genetic data breaches can have long-tail impacts. Identity theft can emerge months or years after a breach occurs, once stolen data circulates through criminal networks.
Genetic information is particularly sensitive because unlike a password or credit card number, you can’t change your DNA. A criminal who obtains your genetic information has access to a permanent identifier that can be used against you indefinitely. The five-year window provides a substantial monitoring period, but customers should understand this is not lifetime protection. After five years, you’ll need to decide whether to purchase similar monitoring services privately or rely on your own vigilance. One important caveat: this protection is meaningful but reactive. The monitoring services will alert you if something bad is happening with your data, but they can’t prevent the initial misuse. The real prevention would have been for 23andMe to implement better security practices before the breach occurred.
Why Did 27 States Sue Over the DNA Data Sale?
The core legal argument is straightforward: genetic information is fundamentally different from other personal data, and selling it requires explicit consent, not just buried language in terms of service. Attorneys general from 27 states argued that when 23andMe updated its terms to allow genetic data sales, the company was making a material change in how customer data is used. Under consumer protection laws, material changes require affirmative consent from customers, not just a passive assumption that silence equals agreement. Also, many states argued that selling genetic data to unnamed third parties violates state privacy laws because customers never agreed to that specific use at the time they submitted their DNA sample. The lawsuit raised a crucial question about the difference between data and genetic data.
Your credit card number is sensitive, but you can cancel it and get a new one. Your genetic information is unchanging and reveals not just information about you but about your biological relatives, extended family members, and potentially thousands of genetic connections you may not even know about. Several states, particularly California, argued that this heightened sensitivity requires heightened protections. California’s position was especially significant because it’s home to 23andMe’s headquarters and the state has some of the nation’s strongest consumer privacy laws. the bankruptcy court’s decision to approve the sale to a nonprofit instead of a for-profit company represented a partial victory for the states, but not a complete one. California, Kentucky, Tennessee, Texas, and Utah continue to oppose the sale, and the legal battle may not be fully resolved.
What Does This Case Mean for Genetic Privacy Going Forward?
The 23andMe scandal illustrates a troubling gap in genetic privacy law. The Federal Genetic Information Nondiscrimination Act (GINA) prevents health insurers and employers from discriminating based on genetic information, but it doesn’t regulate how companies can use or sell genetic data for research, marketing, or other purposes. State laws are beginning to fill this gap, with California and other states proposing genetic-privacy-specific legislation, but the regulatory landscape remains fragmented and inconsistent. This case also signals that bankruptcy courts may become a key battleground for data privacy.
When companies face financial distress, they sometimes attempt to monetize customer data as part of restructuring. The 23andMe case shows that state attorneys general will aggressively challenge these attempts, but it doesn’t guarantee future victories. Customers using direct-to-consumer DNA services should assume that their genetic data could potentially be sold if a company faces bankruptcy, and they should review privacy policies regularly for changes. Going forward, anyone considering submitting their DNA to any company should be aware that even “consensual” genetic data collection operates in a legal gray zone where companies have significant leeway to repurpose that data in ways you may not have explicitly authorized.