Quick Answer
- What this is: A class action lawsuit and $30 million settlement against 23andMe arising from an October 2023 credential stuffing attack that exposed the genetic, health, and personal data of approximately 6.9 million users.
- Who qualifies: U.S.-based 23andMe customers whose personal or genetic data was accessed or scraped during the breach period, particularly those who received a breach notification letter in late 2023 or early 2024.
- What it may be worth: After attorneys’ fees and administration costs, most ordinary class members are estimated to receive between $100 and $400, with higher amounts available for documented out-of-pocket losses. Recovery is complicated by 23andMe’s Chapter 11 bankruptcy filing in March 2025.
Case Snapshot
| Detail | Information |
|---|---|
| Court | San Francisco Superior Court, State of California |
| Case Number | CGC-23-609906 |
| Presiding Judge | Hon. Andrew Y.S. Cheng |
| Breach Detected | October 2023 (credential stuffing attack) |
| Breach Notification to Users | December 2023 through early 2024 |
| Settlement Fund | $30 million |
| Preliminary Settlement Approval | September 2024 |
| 23andMe Bankruptcy Filing | March 2025, U.S. Bankruptcy Court, N.D. California |
| Current Status | Settlement administration ongoing; bankruptcy proceedings active in 2026 |
| Defendant | 23andMe Inc. |
The 23andMe data breach lawsuit is one of the most legally consequential consumer privacy cases of the decade, not only because of its scale but because of what was exposed. A credential stuffing attack in October 2023 allowed unauthorized actors to access approximately 6.9 million user profiles, including genetic ancestry data, health predisposition reports, and the personal information of DNA-matched relatives.
The breach produced dozens of class action complaints consolidated in San Francisco Superior Court. A $30 million settlement reached preliminary court approval in September 2024. Then, in March 2025, 23andMe filed for Chapter 11 bankruptcy protection, injecting significant uncertainty into when and how much affected users will actually receive.
For current and former 23andMe customers, the intersection of the settlement and the bankruptcy is what makes this case uniquely complex. Standard class action mechanics changed the moment the company entered insolvency proceedings.
The 2026 litigation picture requires understanding both tracks simultaneously.
What Is the 23andMe Data Breach Lawsuit?
The 23andMe data breach lawsuit is a consolidated class action proceeding pending in San Francisco Superior Court under Case No. CGC-23-609906. It alleges that 23andMe failed to implement adequate security measures to protect user data, failed to detect the intrusion promptly, and failed to notify affected users within legally required timeframes.

The legal theories in the consolidated complaints include negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, and violations of the California Consumer Privacy Act. Several complaints filed by Illinois residents separately invoke the Illinois Genetic Information Privacy Act, which carries its own statutory damages framework.
The case is presided over by Hon. Andrew Y.S. Cheng of the San Francisco Superior Court. That court has jurisdiction because 23andMe is headquartered in South San Francisco, California.
Core legal theories alleged:
- Negligence (failure to implement reasonable cybersecurity protocols)
- Negligence per se (violation of CCPA, FTC Act standards, and state data breach notification statutes)
- Breach of contract and implied contract (users provided data under a reasonable expectation of security)
- Unjust enrichment (company profited from data while failing to protect it)
- CCPA violations (failure to disclose and protect personal information)
- GIPA violations (Illinois plaintiffs, genetic data-specific statute)
Attorney Insight: Attorneys handling these claims point to the CCPA and GIPA statutory frameworks as the backbone of damages calculations. Unlike general negligence claims, these statutes allow per-violation statutory damages without requiring proof of specific out-of-pocket loss.
How Did the 23andMe Data Breach Class Action Develop?
The 23andMe data breach class action developed rapidly following the company’s public disclosure in October 2023. Initial reports indicated that user data was appearing for sale on dark web forums. 23andMe confirmed the breach originated from a credential stuffing attack, where bad actors used usernames and passwords stolen from other breached services to access 23andMe accounts.
The attack was amplified by 23andMe’s DNA Relatives feature. Once inside an individual account, attackers could scrape the profile data of that user’s genetic matches, exponentially expanding the reach of each compromised credential.
Plaintiff firms filed the first federal complaints within days of the public disclosure. Those cases were subsequently transferred to California state court, where they consolidated with state-law complaints under the superior court’s jurisdiction.
Class action development timeline:
| Event | Date |
|---|---|
| Credential stuffing attack begins | October 2023 |
| 23andMe confirms breach publicly | October 2023 |
| First class action complaints filed | October through November 2023 |
| Cases consolidated in S.F. Superior Court | Early 2024 |
| $30M settlement reached | Mid-2024 |
| Preliminary settlement approval | September 2024 |
| 23andMe files Chapter 11 bankruptcy | March 2025 |
| Settlement administration / bankruptcy proceedings | 2025 through 2026 |
Attorney Insight: Attorneys handling these claims point to the DNA Relatives amplification as a significant liability-expanding fact. Each compromised credential did not expose one person’s data. It exposed the data of every genetic relative linked to that account.
What Data Was Stolen in the 23andMe Breach?
The data stolen in the 23andMe breach falls into two distinct categories, and that distinction matters significantly in litigation. The first category is standard personal identifying information. The second is genetic and health-specific data, which carries higher legal protection under multiple state statutes.
Standard personal data exposed includes names, email addresses, birth years, geographic locations, and profile photos. Genetic and health data exposed includes ancestry composition results, haplogroups, DNA segment data shared with relatives, and in some accounts, health predisposition reports covering disease risk factors.
According to company disclosures, approximately 5.5 million users had their DNA Relatives profile data scraped. An additional 1.4 million users had their family tree information accessed. The combined affected population reached approximately 6.9 million individuals.
Data categories confirmed compromised:
| Data Category | Approximate Users Affected | Legal Sensitivity |
|---|---|---|
| DNA Relatives profile data | 5.5 million | High (genetic data statutes) |
| Family tree information | 1.4 million | Moderate |
| Ancestry composition results | Subset of above | High |
| Health predisposition reports | Subset of above | Very high (HIPAA-adjacent) |
| Names, emails, birth years | Broad overlap | Standard |
| Geographic location data | Broad overlap | Standard |
Attorney Insight: Attorneys handling these claims point to health predisposition data as the most sensitive category. Exposure of disease risk information creates harms that extend beyond identity theft into employment discrimination, insurance denials, and personal privacy violations that courts treat as categorically different from financial data exposure.
Litigation Watch: The credential stuffing entry point, the DNA Relatives amplification mechanism, and the two-tier nature of the exposed data (personal plus genetic) collectively frame why this breach generated more class action complaints than most consumer data incidents of comparable raw size.
Why Does Genetic Data Exposure Make This Case Unique?
Genetic data exposure makes the 23andMe breach legally distinct from standard consumer data breaches because it triggers a separate layer of statutory protection unavailable in most other breach cases. Unlike payment card data or email addresses, genetic information is regulated by specific statutes in multiple states that create independent causes of action.
The Illinois Genetic Information Privacy Act (GIPA) is the most significant. GIPA prohibits the unauthorized disclosure of genetic information and provides for statutory damages of $2,500 per negligent violation and $15,000 per intentional violation, without requiring proof of actual harm. Illinois plaintiffs in the 23andMe litigation pursued GIPA claims alongside the consolidated California proceeding.
California’s CCPA provides its own enhanced protection for “sensitive personal information,” a category that explicitly includes genetic data. That classification allows California residents to seek damages on a per-violation basis rather than per-incident.
Genetic data statutory frameworks:
| State | Applicable Statute | Per-Violation Damages | Proof of Harm Required |
|---|---|---|---|
| Illinois | GIPA | $2,500 (negligent) / $15,000 (intentional) | No |
| California | CCPA (sensitive data provisions) | $100 to $750 per incident | No |
| Texas | Texas Genetic Privacy Act | AG enforcement only | N/A for private claims |
| Federal | No comprehensive federal genetic privacy statute | N/A | N/A |
Attorney Insight: Attorneys handling these claims point to the Illinois GIPA framework as the single most powerful individual damages tool in this litigation. An Illinois resident whose genetic data was exposed may have a standalone GIPA claim worth substantially more than their share of the $30 million class settlement.
Who Qualifies for the 23andMe Data Breach Lawsuit?
Anyone who was a registered 23andMe user before the October 2023 breach and whose personal or genetic data was accessed during the attack may qualify for the class action settlement. This includes users of the DNA Relatives feature and customers whose profiles were scraped even if they did not directly receive a breach notification.
Qualification is based on data exposure, not on whether the individual suffered a downstream financial loss. The settlement class is defined as all U.S. residents who were 23andMe customers and whose personal information was compromised in the breach period.
Employees of 23andMe and certain related parties are excluded from the class. Individuals who previously opted out of any earlier class action related to the breach are also excluded.
Who likely qualifies:
- Registered 23andMe users with active accounts before October 2023
- Users who received a breach notification email or letter from 23andMe
- Users whose DNA Relatives profiles were enabled at the time of the attack
- Users whose ancestry, health, or profile data appeared in the scraped data sets
- Family members of account holders whose relative-matching data was accessed
Who does not qualify:
- Individuals who never created a 23andMe account
- Individuals who previously filed and resolved an individual claim against 23andMe
- 23andMe employees and officers
- Individuals who timely opted out of the settlement class
Attorney Insight: Attorneys handling these claims point to the DNA Relatives feature as expanding the class significantly beyond account holders who directly received notification letters. If your genetic relative was breached and their DNA match data included your profile, your information was accessed even if 23andMe did not directly notify you.
What Are the Full Eligibility Requirements for the 23andMe Claim?
Full eligibility for the 23andMe data breach claim requires meeting three threshold criteria: being a U.S. resident, having been a 23andMe customer before the October 2023 breach, and having personal or genetic information compromised in that breach.
The burden of establishing eligibility rests primarily on the claims administrator’s matching of submitted claim information against 23andMe’s account database. Claimants who received a breach notification letter have a built-in confirmation of their status. Those who did not receive a letter may still qualify based on account records.
Documented out-of-pocket losses related to the breach elevate a claimant into a higher compensation tier. Those losses must be documented and reasonably traceable to the breach.
Eligibility checklist:
- [ ] U.S. resident at the time of the breach
- [ ] Active 23andMe account created before October 2023
- [ ] Personal, genetic, or health data stored in 23andMe systems
- [ ] Did not previously opt out of the settlement class
- [ ] Has not already received individual settlement compensation from 23andMe
- [ ] Can provide account email address or confirmation of account registration
Documentation that strengthens a claim:
- Breach notification email from 23andMe (preserve the original)
- 23andMe account registration confirmation emails
- Records of any unauthorized account access or suspicious activity
- Documentation of out-of-pocket losses (credit monitoring, ID theft protection costs)
Attorney Insight: Attorneys handling these claims point to the account email address as the primary identifier the claims administrator uses. Claimants who no longer have access to the email linked to their 23andMe account should document their account existence through any available records before submitting.
Did 23andMe Send Data Breach Notifications to Affected Users?
23andMe sent breach notification emails to affected users beginning in December 2023, approximately two months after the credential stuffing attack began in October 2023. That two-month gap became a specific point of legal challenge in multiple complaints.
Under California law, breach notification must occur “expeditiously” after discovery of the breach. Under the California Consumer Privacy Act, companies have 45 days from discovery. The gap between discovery and notification is alleged to have exceeded that threshold for a significant portion of the affected population.
Notification letters confirmed the specific data categories exposed for each individual. Not all affected users received identical notifications. Users whose DNA Relatives data was scraped but who did not have other profile data exposed received different notification language than those with health predisposition data accessed.
Notification timeline:
| Event | Date |
|---|---|
| Credential stuffing attack detected | October 2023 |
| 23andMe public statement acknowledging breach | October 2023 |
| Individual breach notification emails sent | December 2023 |
| Notification letters to highest-risk users | December 2023 through January 2024 |
| California law notification deadline (45 days) | Mid-November 2023 (approximate) |
Attorney Insight: Attorneys handling these claims point to the notification delay as an independent basis for enhanced statutory damages under the CCPA’s failure-to-notify provisions, separate from the underlying negligence theory for the breach itself.
Litigation Watch: The notification delay, the GIPA genetic data overlay for Illinois residents, and the DNA Relatives amplification effect collectively make the 23andMe breach legally distinct from standard credential theft cases, and those distinctions directly affect the valuation of individual claims.
What Does It Mean to Opt Out of the 23andMe Class Action?
Opting out of the 23andMe class action means formally removing yourself from the settlement class, which releases the right to receive any payment from the $30 million fund in exchange for preserving the right to file an individual lawsuit against 23andMe.
For most class members, opting out is not the practical choice. Individual data breach claims against a company in bankruptcy carry significant enforcement risk even if a judgment is obtained. The settlement provides a guaranteed, court-supervised recovery pathway.
However, for individuals with substantial documented harm, such as verified identity theft, loss of health insurance, or employment discrimination tied to exposed genetic information, an individual claim may theoretically yield higher recovery than a pro rata share of the settlement fund.
Opt-out considerations:
| Factor | Stay In Class | Opt Out and Sue Individually |
|---|---|---|
| Documented harm | Minimal to moderate | Significant and traceable |
| Legal costs | None (contingency model) | Personal or attorney-funded |
| Recovery certainty | Higher (fund exists) | Lower (especially in bankruptcy) |
| Recovery amount | Lower (pro rata share) | Potentially higher if harm is severe |
| Bankruptcy risk | Mitigated by settlement approval | Full bankruptcy exposure |
Attorney Insight: Attorneys handling these claims point to the bankruptcy filing as making opt-out decisions significantly more consequential than in a solvent-defendant settlement. An individual judgment against a Chapter 11 debtor may be worth less than a confirmed share of a court-approved settlement fund.
What Is the 23andMe Data Breach Settlement?
The 23andMe data breach settlement is a $30 million class action settlement reached in mid-2024 and granted preliminary approval by Hon. Andrew Y.S. Cheng of San Francisco Superior Court in September 2024. It resolves claims brought by approximately 6.9 million affected users whose data was compromised in the October 2023 breach.
The settlement fund covers monetary compensation to class members, attorneys’ fees (expected to be 25 to 33 percent of the fund), claims administration costs, and class representative service awards. What remains after those deductions is distributed on a pro rata basis among valid claimants.
The settlement also includes non-monetary relief. As a condition of approval, 23andMe was required to implement specified data security improvements and provide affected users with access to credit monitoring services.
Settlement structure at a glance:
| Component | Detail |
|---|---|
| Total settlement fund | $30 million |
| Attorneys’ fees (estimated) | $7.5M to $10M (25% to 33%) |
| Administration costs (estimated) | $1M to $2M |
| Net fund available to claimants | Approximately $18M to $21.5M |
| Non-monetary relief | Security upgrades, credit monitoring |
| Court | San Francisco Superior Court |
| Case number | CGC-23-609906 |
Attorney Insight: Attorneys handling these claims point to the gap between the $30 million headline figure and the net distributable amount as critical for claimants calibrating their expectations. The $30 million gross figure is not what class members share among themselves.
How Much Is the 23andMe Data Breach Settlement Worth?
The 23andMe data breach settlement is worth $30 million in total. After deducting estimated attorneys’ fees of 25 to 33 percent and claims administration costs, the net fund available for distribution to class members falls in the range of $18 million to $21.5 million.
That net figure is then divided among all valid claimants on a pro rata basis. The number of valid claims submitted determines each person’s share. If 2 million valid claims are submitted against a $20 million net fund, each claimant receives approximately $10. If 200,000 claims are submitted, each claimant receives approximately $100.
Historical data breach settlement claims rates range from roughly 3 to 15 percent of the eligible class. Applied to a 6.9 million person class, that suggests between 207,000 and 1,035,000 valid claims, producing per-claimant estimates in the $20 to $100 range at the low end.
Settlement value scenarios by claims rate:
| Claims Rate | Estimated Claimants | Net Fund | Per-Claimant Share |
|---|---|---|---|
| 3% (low) | ~207,000 | ~$20M | ~$97 |
| 7% (moderate) | ~483,000 | ~$20M | ~$41 |
| 15% (high) | ~1,035,000 | ~$20M | ~$19 |
| Documented losses tier | Varies | Separate allocation | $200 to $2,500+ |
Attorney Insight: Attorneys handling these claims point to the participation rate as the single variable most likely to determine individual payouts. Lower participation produces higher individual payments. The claims window duration and publicity directly affect how many valid claims are filed.
Litigation Watch: The $30 million settlement figure, the attorneys’ fee deduction, and the pro rata distribution model mean most ordinary class members will receive less than $100 unless the claims rate is unusually low or their documented losses qualify them for enhanced compensation tiers.
What Is the Estimated Settlement Payout Per Person?
The estimated settlement payout per person in the 23andMe case ranges from $50 to $400 for ordinary class members with no documented out-of-pocket losses. That range reflects variable assumptions about final participation rates and the court’s approval of attorneys’ fees.
Claimants with documented losses, such as credit monitoring expenses, identity theft remediation costs, or time spent on fraud-related activity, are eligible for a higher tier. The settlement structure allocates a separate pool or uses a tiered claims process to address those enhanced claims, typically producing payouts in the $500 to $2,500 range.
Individuals with severe documented harm, such as confirmed identity theft or verified employment or insurance consequences from genetic data exposure, may submit documentation to claim above the enhanced tier, subject to individual claims review.
Estimated per-person payout by claim type:
| Claim Type | Estimated Payout | Required Documentation |
|---|---|---|
| Ordinary class member | $50 to $400 | Account registration / notification letter |
| Documented out-of-pocket losses | $500 to $2,500 | Receipts, fraud reports, credit freeze records |
| Severe harm (ID theft, insurance) | $2,500 to $5,000+ | Police report, insurer records, loss documentation |
| Illinois GIPA claimant (individual suit) | Up to $15,000 per violation | Separate individual filing required |
Attorney Insight: Attorneys handling these claims point to the Illinois GIPA pathway as a separate track entirely. Illinois residents should consult a privacy attorney about whether a GIPA individual claim, filed independently of the class settlement, produces a better outcome than remaining in the class.
How Much Money Can You Actually Expect to Receive?
What you can actually expect to receive from the 23andMe settlement depends on four variables: the total number of valid claims filed, the court-approved attorneys’ fee percentage, the claims tier your submission qualifies for, and how the Chapter 11 bankruptcy proceeding intersects with the settlement fund.
The bankruptcy filing is the most consequential variable. Settlement funds approved before a bankruptcy filing may be treated as a pre-petition obligation or as a separately administered trust. The specific treatment of the $30 million fund within 23andMe’s Chapter 11 proceeding was being actively litigated in 2025 and carries through into 2026.
If the court confirms that the settlement fund is held in trust separate from the bankruptcy estate, class members should receive their distributions on the court-approved timeline. If the fund is treated as a general unsecured creditor obligation, recovery may be substantially reduced or delayed.
Realistic recovery expectations:
- Ordinary class members in a best-case scenario: $100 to $400
- Ordinary class members in a worst-case bankruptcy scenario: $10 to $50 or delayed distribution
- Documented-loss claimants in best case: $500 to $2,500
- Illinois GIPA claimants (individual): Up to $15,000 per violation if pursued separately
Attorney Insight: Attorneys handling these claims point to the bankruptcy trustee’s treatment of the settlement fund as the most pressing legal question for affected users in 2026. The answer to that question does more to determine actual recovery than any other single factor.
What Is the Filing Deadline for the 23andMe Data Breach Claim?
The filing deadline for the 23andMe data breach claim was set as part of the preliminary settlement approval process in September 2024. As of early 2026, the specific claims deadline and any extensions related to the bankruptcy proceeding should be confirmed directly through the official settlement administrator.
Bankruptcy proceedings frequently toll or extend class action claims deadlines. When a company files Chapter 11, an automatic stay applies to most legal proceedings. The settlement claims process may have been paused, extended, or restructured as part of the bankruptcy plan of reorganization.
State law limitations periods remain independently relevant. California’s CCPA provides a four-year limitations period from the date of discovery. Illinois GIPA claims carry a five-year limitations period. Those windows began running from December 2023 for most notified claimants.
Key deadlines and windows:
| Deadline Type | Applicable Window | Notes |
|---|---|---|
| Settlement claims deadline (original) | Set at preliminary approval, Sept. 2024 | Verify current status via claims administrator |
| California CCPA limitations period | 4 years from discovery (by Dec. 2027) | For individual CCPA claims outside the settlement |
| Illinois GIPA limitations period | 5 years from discovery (by Dec. 2028) | For individual GIPA claims |
| Opt-out deadline | Set at preliminary approval | Expired for most claimants |
| Bankruptcy proof of claim deadline | Set by bankruptcy court | Check Northern District of California bankruptcy docket |
Attorney Insight: Attorneys handling these claims point to the bankruptcy proof of claim deadline as a separate filing requirement that affected users must not conflate with the class action claims process. Missing the bankruptcy creditor deadline may permanently bar recovery through that channel.
Litigation Watch: The intersection of the September 2024 preliminary settlement approval and the March 2025 bankruptcy filing created a procedural landscape that requires claimants to monitor both the San Francisco Superior Court docket and the Northern District of California bankruptcy court proceedings simultaneously.
How Do You Submit the 23andMe Data Breach Claim Form?
Submitting the 23andMe data breach claim form requires accessing the official settlement claims portal administered by the court-appointed claims administrator. That portal collects your account information, verifies your identity against 23andMe’s user database, and processes your claim tier based on the documentation you provide.
Given the bankruptcy filing, the status of the online claims portal should be verified before submitting. The settlement administrator may have suspended or restructured the filing process pending bankruptcy court direction.
Steps for submitting a claim:
- Locate the official 23andMe settlement claims website through a verified court notice or the San Francisco Superior Court docket for Case No. CGC-23-609906
- Submit your 23andMe account email address for identity verification
- Indicate the tier of claim you are submitting (ordinary class member or documented-loss tier)
- Upload documentation for enhanced claims: receipts, fraud reports, credit statements
- Retain your claim submission confirmation number
- Monitor the claims administrator’s communication channel for processing updates
Attorney Insight: Attorneys handling these claims point to the importance of not using third-party “claims filing services” that charge fees. The official claims process is free. Any service charging to file a data breach claim on your behalf is not affiliated with the court-approved process.
How Do You Join the 23andMe Data Breach Lawsuit?
Joining the 23andMe data breach lawsuit as an ordinary class member requires no affirmative legal action. If the settlement class was certified and you meet the eligibility criteria, you are automatically included unless you previously opted out.
Active participation, meaning submitting a claim form to receive payment, is what most affected users need to do. That requires filing through the official settlement claims process during the active claims window.
For individuals considering a more active legal role, such as objecting to the settlement terms or pursuing a separate individual claim, retaining a data breach attorney before the relevant deadlines is necessary.
Your options as a potential class member:
| Option | Action Required | Best For |
|---|---|---|
| Receive settlement payment | File a claim form | Most class members |
| Object to settlement terms | File written objection with court | Those who believe terms are inadequate |
| Opt out and sue individually | Submit opt-out form before deadline | Those with severe documented harm |
| File GIPA claim individually (Illinois) | Retain attorney for separate filing | Illinois residents with genetic data exposure |
| File bankruptcy proof of claim | Submit to N.D. Cal. bankruptcy court | Those seeking direct creditor status |
Attorney Insight: Attorneys handling these claims point to the bankruptcy proof of claim filing as an action that most affected users overlook. Even if you filed a class action claim form, submitting a separate proof of claim in the bankruptcy proceeding may preserve an independent recovery pathway.
What Type of Attorney Handles the 23andMe Data Breach Case?
Data breach class actions like the 23andMe case are handled by plaintiff-side class action attorneys who specialize in privacy litigation, consumer data protection, and cybersecurity negligence. These attorneys typically operate on contingency fee arrangements, meaning no fees unless there is a recovery.
For individual claimants with significant documented harm, a privacy attorney with specific experience in genetic data law and California CCPA or Illinois GIPA litigation is the appropriate specialist. These cases involve statutory frameworks that general personal injury attorneys are not equipped to handle.
For Illinois residents pursuing individual GIPA claims, the attorney must have specific familiarity with GIPA’s per-violation damages structure and the Illinois Supreme Court’s jurisprudence on biometric and genetic privacy standing.
Attorney types and their roles:
| Attorney Type | Role | Best For |
|---|---|---|
| Plaintiff class action attorney | Filed and manages consolidated class claims | General class membership and settlement oversight |
| Privacy / data breach litigation specialist | Handles individual CCPA and GIPA claims | Claimants with significant individual damages |
| Bankruptcy creditor attorney | Navigates Chapter 11 proof of claim process | Claimants seeking direct bankruptcy creditor status |
| Consumer protection attorney | Pursues state-law statutory remedies | State-specific statutory claims outside the settlement |
Attorney Insight: Attorneys handling these claims point to the bankruptcy dimension as requiring a different specialty than the underlying data breach litigation. A privacy attorney and a bankruptcy creditor attorney may both be needed for claimants pursuing all available recovery pathways.
How Does 23andMe’s Bankruptcy Affect the Settlement?
23andMe’s Chapter 11 bankruptcy filing in March 2025 introduced significant uncertainty into the settlement distribution process. In a standard class action settlement, funds are deposited into a court-approved trust and distributed according to the settlement agreement timeline. Bankruptcy complicates that model.
When a company files for Chapter 11, an automatic stay halts most collection and payment actions against the debtor. Whether the $30 million settlement fund, if already deposited into a trust before the bankruptcy filing, is protected from the automatic stay depends on the specific trust structure and when the deposit occurred.
If the fund was fully deposited and held in trust before March 2025, it may be insulated from the bankruptcy estate and distributed according to the superior court’s schedule. If the fund was not fully funded prior to bankruptcy, the remaining obligation becomes a bankruptcy estate claim, subject to creditor priority rules.
Bankruptcy impact analysis:
| Scenario | Impact on Settlement Recovery |
|---|---|
| Fund fully in trust before bankruptcy | Distributions proceed; claimants likely protected |
| Fund partially funded at bankruptcy | Remaining balance treated as bankruptcy claim |
| 23andMe reorganizes and emerges | Settlement distributions may resume under reorganization plan |
| 23andMe converts to Chapter 7 (liquidation) | Class claimants become general unsecured creditors; recovery severely reduced |
| Court approves separate trust for settlement | Claimants protected from general bankruptcy pool |
Attorney Insight: Attorneys handling these claims point to the Chapter 7 conversion risk as the scenario that most dramatically reduces class member recovery. Monitoring the Northern District of California bankruptcy docket for conversion motions is the single most important action sophisticated claimants can take in 2026.
Litigation Watch: The bankruptcy filing is not a reason to abandon a claim. It is a reason to file a proof of claim in the bankruptcy proceeding as well as completing the class action claims form, preserving recovery rights on both tracks simultaneously.
Where Does the 23andMe Data Breach Lawsuit Stand in 2026?
In 2026, the 23andMe data breach lawsuit occupies two parallel legal forums simultaneously. The class action settlement proceedings remain before Hon. Andrew Y.S. Cheng in San Francisco Superior Court under Case No. CGC-23-609906. The bankruptcy case proceeds in the U.S. Bankruptcy Court for the Northern District of California.
The settlement’s final approval status and fund disbursement timeline are directly dependent on how the bankruptcy court treats the pre-existing settlement obligation. The company’s reorganization plan, which is being formulated in 2025 and 2026, will specify how class action settlement claims are classified and paid.
Claimants who filed claims during the open window and also filed proofs of claim in the bankruptcy proceeding have the strongest dual-track recovery position.
2026 status summary:
| Legal Forum | Matter | Current Status |
|---|---|---|
| San Francisco Superior Court (CGC-23-609906) | Class action settlement | Final approval proceedings ongoing |
| U.S. Bankruptcy Court, N.D. California | Chapter 11 reorganization | Active; plan of reorganization in development |
| Illinois state courts | Individual GIPA claims | Active for individually filed cases |
| Settlement claims portal | Claims administration | Status subject to bankruptcy court direction |
Attorney Insight: Attorneys handling these claims point to 2026 as a year where monitoring both court dockets is essential. Developments in the bankruptcy proceeding will directly and immediately affect what class members receive and when.
Frequently Asked Questions
Is the 23andMe data breach settlement still accepting claims in 2026?
The claims process status in 2026 depends on the interaction between the settlement and the March 2025 bankruptcy filing.
Claimants should verify the current status of the official claims portal through the San Francisco Superior Court docket for Case No. CGC-23-609906.
The bankruptcy automatic stay may have extended or paused the standard claims window.
How much will each person receive from the 23andMe settlement?
Most ordinary class members are estimated to receive between $50 and $400, depending on the total number of valid claims filed and attorneys’ fee deductions from the $30 million fund.
Claimants with documented out-of-pocket losses may qualify for enhanced payments in the $500 to $2,500 range.
The bankruptcy proceedings add uncertainty to both the timing and the final per-person amounts.
Does the 23andMe bankruptcy mean claimants won’t get paid?
Not necessarily. Whether claimants are paid depends on whether the $30 million settlement fund was held in a protected trust before the bankruptcy filing.
If the fund is insulated from the bankruptcy estate, distributions may proceed on the settlement timeline.
Claimants should file proofs of claim in the bankruptcy proceeding as a protective measure, preserving rights regardless of how the court ultimately classifies the settlement obligation.
What specific data was exposed in the 23andMe breach?
The breach exposed DNA Relatives profile data for approximately 5.5 million users and family tree information for 1.4 million additional users.
Health predisposition reports, ancestry composition data, names, email addresses, birth years, and geographic locations were also accessed for varying subsets of the affected population.
The credential stuffing attack method meant that the scope of exposure depended on which accounts were compromised and what features those account holders had enabled.
Do Illinois residents have a stronger claim than other states?
Yes. Illinois residents whose genetic data was exposed have a separate cause of action under the Illinois Genetic Information Privacy Act (GIPA), which allows per-violation statutory damages of $2,500 to $15,000 without requiring proof of actual harm.
That individual GIPA claim is separate from the class action settlement and must be filed independently.
Illinois residents should consult a privacy attorney about whether pursuing an individual GIPA claim produces a better outcome than their pro rata share of the class settlement.
What type of lawyer should I contact about the 23andMe data breach lawsuit?
A plaintiff-side class action attorney specializing in privacy litigation or consumer data protection is the appropriate starting point for most affected users.
Illinois residents with genetic data exposure should specifically seek an attorney with GIPA litigation experience.
Claimants with significant documented harm should consult a privacy attorney before the claims window closes to evaluate whether individual representation outperforms automatic class participation.
Closing
The 23andMe data breach lawsuit is not a simple file-and-receive case. The $30 million settlement, the 6.9 million affected users, the genetic data exposure, and the March 2025 bankruptcy filing make this one of the more procedurally complex consumer class actions currently before California courts.
For anyone affected, the immediate priorities are verifying current claims portal status, preserving all documentation, and filing a proof of claim in the bankruptcy proceeding if that window remains open.
If you are an Illinois resident, experienced documented financial harm, or had health predisposition data exposed, a privacy attorney consultation before any deadline passes is the concrete next step. These attorneys handle data breach claims on contingency and can assess whether the class settlement or an individual recovery pathway serves you better.
