Attorney General Tong Leads Multistate Settlement of Bankruptcy Claims Against 23andMe Over Genetic Data Breach

Attorney General William Tong

07/14/2026

(Hartford, CT) – Attorney General William Tong today led a coalition of 42 attorneys general announcing a settlement with the bankruptcy trustee for direct-to-consumer genetic testing company 23andMe, resolving allegations stemming from a 2023 data breach that compromised the genetic data of 6.9 million customers worldwide. The settlement includes $150 million in allowed claims for states.

Due to the finite amount of funds in the bankruptcy estate and numerous other claims, recovery is limited to $18 million but will be paid out of available bankruptcy funds immediately. Of the $18 million, Connecticut will receive $887,729. Further, 23andMe agreed to a $46.75 million class-action settlement in the bankruptcy to provide relief to affected U.S. consumers who submitted claims by February 17, 2026.

“23andMe collected the most sensitive genetic data imaginable from millions of Americans, and they failed to safeguard that data. Connecticut led the country in investigating this serious breach, and we were actively involved at every step of this bankruptcy proceeding fighting for accountability and the security of consumers’ personal data and genetic samples,” said Attorney General Tong.

In October 2023, 23andMe announced that it had discovered a data breach in which 6.9 million consumers were affected, including 65,766 in Connecticut. This data breach exposed a wide range of data about 23andMe customers, including in some cases genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web.

23andMe learned about the breach months after impacted personal information was publicly available. 23andMe first denied a breach and then, once it confirmed the breach, blamed consumers for how their accounts were set up or how passwords were used. 23andMe initially accepted no responsibility for the credential stuffing breach, which was particularly egregious considering 23andMe’s partnership with MyHeritage, which itself was compromised years prior to the breach, exposing thousands of credentials shared between the websites.

In the immediate aftermath of the data breach, Connecticut led a multistate investigation and found that 23andMe engaged in unreasonable data security practices, including, but not limited to:

Failing to employ safeguards against credential stuffing attacks, including comparing passwords against blocklists of known breached passwords or requiring multifactor authentication;
Failing to implement appropriate rate limiting or intrusion prevention;
Failing to implement logging and monitoring or other tools likely to detect a data breach;
Failing to appropriately investigate and/or address unusual login in patterns, including, for example, a massive spike in login attempts;
Failing to remediate known vulnerabilities; and
Failing to properly review and test design features.

In March 2025, 23andMe filed for bankruptcy protection, and states subsequently filed claims related to the data breach investigation. As part of the bankruptcy proceedings, the assets – notably 23andMe’s consumer data – were sold to TTAM Research Institute, a non-profit formed by 23andMe founder and former CEO Anne Wojcicki. The terms of the sale included many information and data security requirements that likely would have been included in a settlement with 23andMe had it not filed for bankruptcy. Such terms included enhanced data security requirements, appropriate risk analysis, the addition of an Advisory Board, agreeing to be bound by comprehensive privacy laws without exception, and continuing to offer consumer deletion rights. These terms will make sure that TTAM Research Institute, now reregistered as 23andMe Research Institute, will be a safer custodian of genetic data moving forward.

The Connecticut General Assembly also recently passed a new genetic privacy law at the urging of the Office of the Attorney General, effective October 1, 2026. Under this law, Connecticut residents have the right to exercise control over genetic samples they provide to direct-to-consumer genetic testing companies, and those companies have disclosure and consent obligations. The genetic privacy law enhances pre-existing protections in Connecticut law for genetic data, which was already protected as “sensitive data” under the Connecticut Data Privacy Act.

Attorney General Tong and Indiana Attorney General Todd Rokita co-led the attorneys general of Alaska, Alabama, Arkansas, Arizona, Colorado, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Kansas, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Michigan, Minnesota, North Carolina, North Dakota, New Hampshire, New Jersey, New Mexico, New York, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and West Virginia in today’s settlement.

Assistant Attorneys General Patrick Kania and John Neumon, as well as Deputy Associate Attorney General and Privacy Section Chief Michele Lucan, assisted the Attorney General in this matter.


Twitter: @AGWilliamTong
Facebook: CT Attorney General
Media Contact:

Elizabeth Benton
elizabeth.benton@ct.gov

Consumer Inquiries:

860-808-5318
attorney.general@ct.gov

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.

Share this page:

Advanced Search Options

Search for:

Search scope:

Type:

Search in:

Date range:

The last

Sort by:

Sign up for:

Bay State Times

The daily local news briefing you can trust. Every day. Subscribe now.

By signing up, you agree to our Terms & Conditions.