Yes, 23andMe did attempt to sell its customers’ genetic and medical data to pharmaceutical firms in the months before and after its Chapter 11 bankruptcy filing. In May 2025, Regeneron Pharmaceuticals won an initial $256 million bid to acquire 23andMe’s assets and its database of genetic information from approximately 6.4 million customers—a move that immediately triggered lawsuits from multiple state attorneys general concerned about pharmaceutical companies gaining direct access to Americans’ genetic data. The company’s data had been compromised just months earlier in a cyberattack announced in October 2023 that affected customers with accounts between May and October 2023.
The core tension in this case centers on whether personal genetic information held by a genetic testing company should be treated as an asset that can be sold off in bankruptcy proceedings, or whether it should be protected as sensitive medical data belonging to individual customers. The courts sided with 23andMe’s creditors, allowing the company to pursue asset sales—though a nonprofit research institute founded by former CEO Anne Wojcicki eventually completed the purchase instead, preventing the data transfer to Regeneron. Understanding the details of this case matters if you used 23andMe or similar services, as it reveals how customer data can be treated during corporate bankruptcy and what protections—or lack thereof—may exist for genetic information.
Table of Contents
- How Did 23andMe’s Data Breach Lead to Bankruptcy?
- Why Did Regeneron Want to Buy 23andMe’s DNA Database?
- How Did TTAM Research Institute Block the Regeneron Deal?
- Who Is Eligible for the 23andMe Settlement and What Does It Cover?
- What Are the Limitations of This Settlement?
- The Genetic Privacy Implications
- What Happens Next for Genetic Data Privacy?
How Did 23andMe’s Data Breach Lead to Bankruptcy?
On October 3, 2023, cybercriminals launched credential stuffing attacks against 23andMe’s platform, compromising approximately 6.4 to 7 million U.S. customer records. The company announced the breach publicly on October 6, 2023. Credential stuffing involves using usernames and passwords obtained from other data breaches to attempt unauthorized account access—in 23andMe’s case, attackers succeeded in accessing accounts of customers who had created accounts between May 1, 2023 and October 1, 2023. The breach exposed genetic ancestry data, health information, and in some cases DNA analysis results and family connections.
The data breach compounded existing financial pressures on 23andMe. The company had been burning through cash and losing money for years, even as its direct-to-consumer genetic testing business faced increased regulatory scrutiny and declining interest. By early 2025, with litigation costs mounting from the data breach and its DNA testing operations struggling, 23andMe filed for Chapter 11 bankruptcy on March 23, 2025, in U.S. Bankruptcy Court for the Eastern District of Missouri. The bankruptcy filing meant the company’s assets—including its most valuable asset, the customer genetic database—would be sold to pay creditors and investors.
Why Did Regeneron Want to Buy 23andMe’s DNA Database?
Pharmaceutical companies have long sought access to large genetic databases for research purposes. Regeneron Pharmaceuticals, one of the world’s largest biotech companies, saw 23andMe’s database as an invaluable research asset containing genetic information from millions of Americans, coupled with some of the most detailed health and ancestry data available. In May 2025, Regeneron won the initial auction for 23andMe and its assets with a bid of $256 million. However, the prospect of a pharmaceutical company owning direct access to millions of Americans’ genetic information immediately triggered legal and political opposition.
Multiple state attorneys general filed lawsuits to block the Regeneron sale, arguing that allowing a pharmaceutical firm to control genetic data from 6.4 million customers raised unprecedented privacy and consent concerns. States warned that genetic data could be used to discriminate in insurance or hiring, or could be shared with third parties without adequate oversight. Colorado, New York, and other states raised specific concerns that customers had consented to their data being used by 23andMe for genetic research—not to being sold to a pharmaceutical company’s commercial research division. The legal arguments highlighted a critical gap: while bankruptcy courts have broad power to sell assets to maximize creditor recovery, there was no clear legal framework for protecting personal genetic information as a special category that shouldn’t be subject to standard asset sales.
How Did TTAM Research Institute Block the Regeneron Deal?
As legal battles over the Regeneron sale intensified, Anne Wojcicki, 23andMe’s founder and former CEO, stepped in with an alternative. She formed TTAM Research Institute, a nonprofit research organization, to compete for 23andMe’s assets. On July 14, 2025, TTAM completed the purchase of 23andMe for $305 million—$49 million more than Regeneron’s bid. While TTAM also intends to use 23andMe’s genetic database for pharmaceutical and medical research, the fact that it’s controlled by a nonprofit rather than a pharmaceutical company addressed the primary concerns of state attorneys general and consumers. The nonprofit structure meant the data would remain dedicated to research purposes without a profit-driven pharmaceutical company’s direct commercial incentives.
Judge Brian C. Walsh of the U.S. Bankruptcy Court had previously ruled on March 28, 2025, that 23andMe did have the right to sell customers’ genetic and medical data to bidders. This ruling essentially determined that genetic information, once collected and stored, could be treated as a corporate asset in bankruptcy proceedings. However, TTAM’s successful bid meant that while the ruling stood, the actual data transfer occurred to a nonprofit entity rather than Regeneron. The sale highlighted a governance gap: the court system approved the sale because no law explicitly prohibited it, even though consumers had provided their genetic data under the assumption it would be used for health and ancestry research—not sold as a bankruptcy asset.
Who Is Eligible for the 23andMe Settlement and What Does It Cover?
The 23andMe data breach settlement was finalized on January 20, 2026, after receiving preliminary approval on September 5, 2025. The settlement amount is $50 million—higher than the initially proposed $30 million settlement. Eligibility covers approximately 6.4 million customers whose accounts were compromised in the October 2023 credential stuffing attack. The claims deadline is February 17, 2026 at 11:59 p.m.
Central Time, meaning affected customers must submit claims by this date to receive settlement benefits. Individual customers can receive up to $10,000 per person for documented out-of-pocket losses directly caused by the breach—such as identity theft expenses, credit monitoring costs, or unauthorized charges. However, the more significant benefit is the 5-year Privacy & Medical Shield and Genetic Monitoring program, which automatically applies to all eligible customers without requiring documentation of losses. This program includes identity theft monitoring, dark web monitoring to detect if personal information is being sold or traded, and genetic anomaly detection to alert customers if their genetic data appears in unauthorized databases. The genetic anomaly detection component is particularly relevant to 23andMe customers, since the concern with the Regeneron sale was about who would have access to their genetic information.
What Are the Limitations of This Settlement?
While the settlement provides meaningful protections, it has important limitations. The $10,000 out-of-pocket loss reimbursement requires customers to document their losses and submit receipts or proof of expenses—many customers affected by the breach may not have incurred significant direct financial losses, meaning they won’t qualify for this portion. Additionally, the 5-year monitoring program expires after five years, leaving customers without coverage for genetic anomaly detection beyond 2031. If a customer’s genetic data is compromised in a future incident, or if their data is unlawfully accessed during those five years but the breach is only discovered after the monitoring period ends, the settlement provides no coverage.
Also, the settlement does not prevent 23andMe or TTAM from continuing to use the genetic database for research. The settlement compensates customers for the October 2023 breach and provides monitoring, but it does not give customers the ability to have their data deleted from the TTAM database. Customers who are concerned about their genetic information being used for pharmaceutical research now have the option to withdraw their accounts and request data deletion, but this must be done proactively—it is not automatic. The settlement also does not establish precedent for future cases; if another genetic testing company experiences a similar breach, courts could still rule that customer data is a corporate asset subject to bankruptcy sales.
The Genetic Privacy Implications
The 23andMe case revealed that genetic information occupies an unusual position in U.S. law. Medical information is generally protected under HIPAA (the Health Insurance Portability and Accountability Act), but HIPAA only applies to covered entities like hospitals, health plans, and health care providers. 23andMe is primarily a direct-to-consumer genetic testing company, not a medical provider, so HIPAA protections do not apply. This means that while your lab test results at your doctor’s office are protected from sale in a bankruptcy proceeding, your genetic results from 23andMe potentially are not—at least not until the law changes.
The settlement includes the genetic monitoring component specifically because consumers and regulators recognized the unique value and sensitivity of genetic data. Unlike a credit card number or Social Security number that can be changed, genetic information is permanent and immutable. If your genetic data is accessed by unauthorized parties, there’s no way to revoke it or get a replacement. This permanence made the concerns about Regeneron’s access particularly acute, and it’s why the eventual nonprofit sale to TTAM was seen as preferable. However, genetic monitoring services cannot prevent future breaches—they can only detect if genetic data appears in unauthorized locations after the fact.
What Happens Next for Genetic Data Privacy?
The 23andMe case is likely to accelerate regulatory efforts to create a special legal category for genetic information. Several states have already passed or are considering genetic privacy laws that would limit how companies can use or sell genetic data, even in bankruptcy. The multi-state opposition to the Regeneron sale demonstrated that state attorneys general recognize genetic information as a distinct concern requiring different legal protections than standard business records. Federal legislation to create a genetic privacy framework similar to existing medical privacy laws has been proposed but not yet enacted.
For consumers, the practical takeaway is that submitting genetic samples to any direct-to-consumer genetic testing company carries some risk, even if that company eventually fails or is sold. The 23andMe settlement and monitoring program provide a safety net, but they only apply if you were a customer during the October 2023 breach window. If you currently use 23andMe or another genetic testing service and are concerned about your data’s security or future use, you have the option to delete your account and request data deletion—though you should verify that the company honors such requests in writing before deleting your account information. Genetic databases will likely become more regulated over the next several years as federal and state governments respond to cases like 23andMe’s.