23andMe Pays $18 Million to 42 State Attorneys General Over Its Genetic Data Breach

23andMe Pays $18 Million to 42 State Attorneys General Over Its Genetic Data Breach
A coalition of 42 state attorneys general, led by New York Attorney General Letitia James, announced on July 14, 2026 that 23andMe will pay $18 million to resolve claims that it failed to protect the genetic data of roughly 6.9 million consumers exposed in its 2023 breach. The money goes to the states, not to consumers.
Information last verified on July 17, 2026. This is a developing story; we update it as the record changes.
Status: The multistate settlement was announced on July 14, 2026. It is separate from, and in addition to, the $46.75 million consumer class settlement approved earlier in the 23andMe bankruptcy. The $18 million is a government enforcement recovery, not a new consumer payout.
Jurisdiction scope: This article covers a multistate settlement announced by 42 state attorneys general under state consumer-protection and data-security law. It does not create rights specific to any one state, and it does not address the separate federal bankruptcy proceeding except where the two intersect.
What Happened
On July 14, 2026, New York Attorney General Letitia James and a bipartisan coalition of 42 attorneys general, representing 41 states and the District of Columbia, announced that 23andMe agreed to pay $18 million to resolve their investigation into the company's 2023 data breach. According to the Delaware and Georgia attorneys general, the deal recognizes roughly $150 million in claims against 23andMe's bankruptcy estate, but because estate funds are limited, the states' actual cash recovery is the $18 million paid now. 23andMe disclosed the breach in October 2023 after attackers used a credential-stuffing technique, logging in with reused passwords stolen from other sites, to reach the accounts of about 6.9 million people. Through 23andMe's DNA Relatives feature, the attackers were able to compile, and later offer for sale, profiles containing names, ancestry information, and genetic data.
The attorneys general concluded that 23andMe had failed to put basic protections in place. According to the offices' announcements, the company did not require multifactor authentication and lacked adequate safeguards against attacks that rely on stolen login credentials. New York's office stated that 23andMe "failed to take critical security measures," including requiring multifactor authentication, that could have blunted the attack.
Beyond the $18 million payment, the settlement imposes ongoing obligations. Those terms bind TTAM Research Institute, the nonprofit that acquired 23andMe's assets, including its consumer database, out of bankruptcy. TTAM must maintain an enhanced data-security program, conduct regular risk analysis, seat a data-security advisory board, deploy multifactor authentication, and continue to honor consumers' right to delete their data.
What the Law Actually Says
State attorneys general enforce their states' consumer-protection and data-security statutes, which generally require companies that hold sensitive personal information to maintain reasonable safeguards and to notify consumers after a breach. Genetic data sits at the most sensitive end of that spectrum. A person can change a stolen password; they cannot change their DNA, and a single profile can implicate blood relatives who never used the service.
That is why states have moved to regulate genetic information specifically. Several have enacted dedicated genetic-privacy statutes, such as South Dakota's new genetic data privacy act, and consumer-privacy laws increasingly classify genetic and biometric identifiers as "sensitive data" that requires heightened protection. The 23andMe matter shows the enforcement side of that trend: when a company holding genetic data suffers a breach, many attorneys general can act together, and the resulting settlement can reach both a monetary payment and a binding, forward-looking security program.
This multistate deal is also distinct from the litigation individual states brought. California, for example, filed its own suit against 23andMe's successor over the genetic data breach. And it is separate again from the money set aside for consumers in the bankruptcy, discussed below.
Analysis: Why This Matters
The following is analysis from the Recording Law Editorial Team.
The most important thing for consumers to understand is what this settlement is not. The $18 million is an enforcement recovery paid to the states, not a fund that pays individual users. Readers who followed the 23andMe breach may see "$18 million settlement" and assume a second payout is coming. It is not. The route for consumer compensation was the separate class settlement in the bankruptcy, and that $46.75 million consumer settlement was already approved, with a claim deadline of February 17, 2026 that has passed.
What the multistate settlement adds is durable security obligations on the organization that now holds the DNA of millions of people. The credential-stuffing attack succeeded, in the attorneys general's telling, because ordinary defenses like multifactor authentication were missing. Requiring them going forward, and attaching a security advisory board and risk-analysis duties, is the kind of injunctive term that outlasts a one-time check. Whether those obligations are enforced rigorously against a nonprofit successor is an open question, and we are not predicting how that will play out.
How This Affects You
If you were a 23andMe user, this settlement does not give you a new claim to file, and no legitimate site will ask you to "register" for an $18 million payout. Treat any such solicitation as a red flag. The consumer-facing claim process ran through the bankruptcy class settlement and has closed.
More generally, anyone whose data was exposed in a breach can take the same protective steps regardless of any settlement: placing a free credit freeze, enabling multifactor authentication on important accounts, and using unique passwords so that a credential-stuffing attack on one site cannot unlock others. If you no longer use 23andMe, the deletion right that this settlement preserves lets you ask the company to delete your account and destroy your saved sample.
This is general legal information, not legal advice. It describes a multistate settlement announced on July 14, 2026 and reflects sources verified on July 17, 2026. Laws and settlements change, and this story is developing; consult a lawyer licensed in your state about your specific situation.
Related articles
- The $46.75 million consumer class settlement, explained
- California's suit against 23andMe's successor
- Track the status of this settlement on our 23andMe tracker
- How states are regulating genetic data
Last updated: 2026-07-17. This is a developing story; details verified as of 2026-07-17.
Frequently Asked Questions
Is the 23andMe $18 million settlement a new payout for consumers?
No. The $18 million is paid to the 42 participating states as an enforcement recovery. It is not consumer compensation, and there is no individual claim to file for it.
Where did consumer compensation for the 23andMe breach come from?
From a separate $46.75 million class settlement approved in the 23andMe bankruptcy. Its claim deadline was February 17, 2026, which has already passed.
What did the 2023 23andMe breach expose?
A credential-stuffing attack that ran from about April to September 2023 reached roughly 6.9 million users, exposing names, ancestry information, and genetic profile data, some of which was later offered for sale online.
Who pays, and who is bound by the multistate settlement?
23andMe agreed to pay $18 million, and the forward-looking security obligations bind TTAM Research Institute, the nonprofit that acquired 23andMe's assets out of bankruptcy.
What security changes does the settlement require?
The successor must maintain a data-security program, perform risk analysis, seat a data-security advisory board, use multifactor authentication, and continue honoring consumers' right to delete their data.
How many states were involved?
A bipartisan coalition of 42 state attorneys general, led by New York Attorney General Letitia James, announced the settlement on July 14, 2026.
Can I still delete my 23andMe data?
Yes. The settlement preserves consumers' right to request deletion of their account and destruction of their saved sample, a right you can exercise through the company regardless of the settlement.
Sources and References
- New York Attorney General, AG James Secures $18 Million From 23andMe for Failing to Protect Customers' Genetic Data (July 14, 2026)(ag.ny.gov).gov
- Pennsylvania Office of Attorney General, AG Sunday Announces $18 Million National Settlement with 23andMe Over Genetic Data Breach(attorneygeneral.gov).gov
- Georgia Office of the Attorney General, Carr Announces Multistate Settlement with 23andMe Over Genetic Data Breach(law.georgia.gov).gov
- New Hampshire Department of Justice, AG Formella Announces $18 Million Multistate Settlement with 23andMe Over Genetic Data Breach(doj.nh.gov).gov
- Massachusetts Attorney General, AG Campbell Announces Multistate Settlement With 23andMe Over Genetic Data Breach(mass.gov).gov
- State of Delaware, AG Jennings Announces Multistate Settlement of Bankruptcy Claims Against 23andMe Over Genetic Data Breach(news.delaware.gov).gov