23andMe has agreed to pay $18 million to settle claims by 42 state attorneys general that the genetic testing company failed to protect customer accounts before a 2023 breach exposed information tied to 6.9 million people, including genetic ancestry data.
The settlement, announced Tuesday by the state coalition, also reaches beyond the bankrupt company’s old corporate shell. It imposes new security obligations on the 23andMe Research Institute, the nonprofit founded in May 2025 by 23andMe CEO Anne Wojcicki, which later acquired 23andMe’s assets, including customer genetic data.
For customers, the practical piece is deletion control. The agreement requires that 23andMe customers keep the right to have their genetic samples destroyed and their personal data deleted indefinitely. That matters because the data at issue is not a resettable password or a replaceable credit card number. It is biological identity data, and the settlement treats continued deletion rights as part of the remedy.
States say 23andMe missed basic account abuse signals
New York Attorney General Letitia James’ office said the multistate investigation began days after the breach and found several security failures. According to James’ office, 23andMe lacked protections against attacks using stolen credentials, had inadequate intrusion prevention, did not properly log or monitor for breaches, and failed to fix known vulnerabilities.
The office also said the company did not investigate unusual login patterns or test new design features. In plain English: attackers were allegedly able to use already-compromised usernames and passwords, and 23andMe did not have enough detection or friction in place to stop or quickly spot the account abuse.
James’ office said 23andMe did not learn about the October 2023 breach until months after it happened. Some stolen data later appeared on the dark web. The attorney general’s office also said the company first denied that a breach had occurred and, after confirming it, faulted customers for account settings and password practices.
The settlement requires the 23andMe Research Institute to carry out risk assessments and create a special board charged with overseeing data security. Those requirements attach to the organization now holding the assets, rather than only to the company that collected the data in the first place.
Bankruptcy and asset sale changed the venue, not the data problem
23andMe filed for bankruptcy protection in March 2025. In June, a Missouri bankruptcy court approved a separate settlement that gives many breach victims a share of a $47 million fund.
In July 2025, the Wojcicki-led nonprofit, then called TTAM Research Institute, paid $305 million for 23andMe’s assets. The sale included genetic data for customers who had not requested destruction of their information, according to a 23andMe press release cited in court approval materials.
The institute has said it will follow 23andMe’s privacy policy. That policy bars sharing customer data with employers, insurers, public databases, and law enforcement unless there is a court order, subpoena, or search warrant. The institute also continues the company’s practice of sharing and selling de-identified customer data for biomedical research.
The $18 million settlement does not make the genetic data less sensitive, and it does not erase the breach. It does put state attorneys general on record that password reuse by customers was not a full answer to a security incident involving millions of genetic-testing profiles.
This story draws on original reporting from The Record.