Pennsylvania Attorney General Dave Sunday announced an $18 million multistate bankruptcy claim settlement with genetic testing company 23andMe.
Pennsylvania will receive $491,902 from the settlement.
Additionally, 23andMe agreed to a separate $46.75 million class-action settlement in the bankruptcy to provide relief to affected U.S. consumers who submitted claims.
The 2023 data breach affected 6.9 million consumers globally, including 192,093 in Pennsylvania.
The breach exposed various types of data about 23andMe customers, such as genetic ancestry information and subsets of this data were later sold on the dark web.
Sunday criticized 23andMe’s handling of the incident.
“This company was trusted by millions of Americans to safeguard very private data and information, but failed to do so, learning about a data breach far too late, then pointing fingers at their own customers,” Sunday said. “I find it appalling that a company dealing with customers’ personal information would be so lax about their system protections, then have the audacity to deny and attempt to wash their hands of wrongdoing.”
23andMe initially denied the breach, only confirming it months after the personal information was publicly available. The company then attributed blame to consumers for their account setups or password usage, accepting no responsibility for the cyberattack.
Cybercriminals used a tactic known as “credential stuffing,” attempting to gain account access by using stolen passwords from other websites that might have been reused. The multistate investigation also noted that 23andMe’s partnership with MyHeritage, which had been compromised years prior, exposed credentials shared between the websites.
The Attorneys General formed a multistate investigation and found that 23andMe engaged in unreasonable data security practices. These practices included failing to employ safeguards against credential stuffing attacks, such as comparing passwords against blocklists or requiring multifactor authentication. The company also failed to implement appropriate rate limiting or intrusion prevention, logging and monitoring tools to detect breaches and to investigate unusual login patterns, such as massive spikes in login attempts. They also failed to remediate known vulnerabilities and properly review and test design features.
In March 2025, 23andMe filed for bankruptcy protection. States, including Pennsylvania, subsequently filed claims related to the data breach investigation.
As part of the bankruptcy proceedings, 23andMe’s assets, including its consumer data, were sold to TTAM Research Institute. This non-profit organization was formed by 23andMe founder and former CEO Anne Wojcicki.
The terms of sale incorporated several information and data security requirements. These included enhanced data security, appropriate risk analysis, the addition of an Advisory Board, agreement to be bound by comprehensive privacy laws without exception and continued offering of consumer data deletion rights. TTAM Research Institute has since reregistered as 23andMe Research Institute.
Impacted consumers who submitted claims by Feb. 17, 2026, for the class-action settlement should have received an email notification about their eligibility for funds.Pennsylvania Attorney General Dave Sunday announced an $18 million multistate bankruptcy claim settlement with genetic testing company 23andMe.
Pennsylvania will receive $491,902 from the settlement, with nearly 200,000 Pennsylvanians impacted by the data breach.
Additionally, 23andMe agreed to a separate $46.75 million class-action settlement in the bankruptcy to provide relief to affected U.S. consumers who submitted claims.
The 2023 data breach affected 6.9 million consumers globally, including 192,093 in Pennsylvania.
The breach exposed various types of data about 23andMe customers, such as genetic ancestry information and subsets of this data were later sold on the dark web.
Sunday criticized 23andMe’s handling of the incident.
“This company was trusted by millions of Americans to safeguard very private data and information, but failed to do so, learning about a data breach far too late, then pointing fingers at their own customers,” Sunday said. “I find it appalling that a company dealing with customers’ personal information would be so lax about their system protections, then have the audacity to deny and attempt to wash their hands of wrongdoing.”
23andMe initially denied the breach, only confirming it months after the personal information was publicly available. The company then attributed blame to consumers for their account setups or password usage, accepting no responsibility for the cyberattack.
Cybercriminals used a tactic known as “credential stuffing,” attempting to gain account access by using stolen passwords from other websites that might have been reused. The multistate investigation also noted that 23andMe’s partnership with MyHeritage, which had been compromised years prior, exposed credentials shared between the websites.
The Attorneys General formed a multistate investigation and found that 23andMe engaged in unreasonable data security practices. These practices included failing to employ safeguards against credential stuffing attacks, such as comparing passwords against blocklists or requiring multifactor authentication. The company also failed to implement appropriate rate limiting or intrusion prevention, logging and monitoring tools to detect breaches and to investigate unusual login patterns, such as massive spikes in login attempts. They also failed to remediate known vulnerabilities and properly review and test design features.
In March 2025, 23andMe filed for bankruptcy protection. States, including Pennsylvania, subsequently filed claims related to the data breach investigation.
As part of the bankruptcy proceedings, 23andMe’s assets, including its consumer data, were sold to TTAM Research Institute. This non-profit organization was formed by 23andMe founder and former CEO Anne Wojcicki.
The terms of sale incorporated several information and data security requirements. These included enhanced data security, appropriate risk analysis, the addition of an Advisory Board, agreement to be bound by comprehensive privacy laws without exception and continued offering of consumer data deletion rights. TTAM Research Institute has since reregistered as 23andMe Research Institute.
Impacted consumers who submitted claims by Feb. 17, 2026, for the class-action settlement should have received an email notification about their eligibility for funds.
Download the FREE WPXI News app for breaking news alerts.
Follow Channel 11 News on Facebook and Twitter. | Watch WPXI NOW