Spread the love


Quick Answer

  • What this is: A class action lawsuit and $30 million settlement against 23andMe arising from an October 2023 credential stuffing attack that exposed the genetic, health, and personal data of approximately 6.9 million users.
  • Who qualifies: U.S.-based 23andMe customers whose personal or genetic data was accessed or scraped during the breach period, particularly those who received a breach notification letter in late 2023 or early 2024.
  • What it may be worth: After attorneys’ fees and administration costs, most ordinary class members are estimated to receive between $100 and $400, with higher amounts available for documented out-of-pocket losses. Recovery is complicated by 23andMe’s Chapter 11 bankruptcy filing in March 2025.

Case Snapshot

DetailInformation
CourtSan Francisco Superior Court, State of California
Case NumberCGC-23-609906
Presiding JudgeHon. Andrew Y.S. Cheng
Breach DetectedOctober 2023 (credential stuffing attack)
Breach Notification to UsersDecember 2023 through early 2024
Settlement Fund$30 million
Preliminary Settlement ApprovalSeptember 2024
23andMe Bankruptcy FilingMarch 2025, U.S. Bankruptcy Court, N.D. California
Current StatusSettlement administration ongoing; bankruptcy proceedings active in 2026
Defendant23andMe Inc.

The 23andMe data breach lawsuit is one of the most legally consequential consumer privacy cases of the decade, not only because of its scale but because of what was exposed. A credential stuffing attack in October 2023 allowed unauthorized actors to access approximately 6.9 million user profiles, including genetic ancestry data, health predisposition reports, and the personal information of DNA-matched relatives.

The breach produced dozens of class action complaints consolidated in San Francisco Superior Court. A $30 million settlement reached preliminary court approval in September 2024. Then, in March 2025, 23andMe filed for Chapter 11 bankruptcy protection, injecting significant uncertainty into when and how much affected users will actually receive.

For current and former 23andMe customers, the intersection of the settlement and the bankruptcy is what makes this case uniquely complex. Standard class action mechanics changed the moment the company entered insolvency proceedings.

The 2026 litigation picture requires understanding both tracks simultaneously.


What Is the 23andMe Data Breach Lawsuit?

The 23andMe data breach lawsuit is a consolidated class action proceeding pending in San Francisco Superior Court under Case No. CGC-23-609906. It alleges that 23andMe failed to implement adequate security measures to protect user data, failed to detect the intrusion promptly, and failed to notify affected users within legally required timeframes.

The legal theories in the consolidated complaints include negligence, negligence per se, breach of contract, breach of implied contract, unjust enrichment, and violations of the California Consumer Privacy Act. Several complaints filed by Illinois residents separately invoke the Illinois Genetic Information Privacy Act, which carries its own statutory damages framework.

The case is presided over by Hon. Andrew Y.S. Cheng of the San Francisco Superior Court. That court has jurisdiction because 23andMe is headquartered in South San Francisco, California.

Core legal theories alleged:

  • Negligence (failure to implement reasonable cybersecurity protocols)
  • Negligence per se (violation of CCPA, FTC Act standards, and state data breach notification statutes)
  • Breach of contract and implied contract (users provided data under a reasonable expectation of security)
  • Unjust enrichment (company profited from data while failing to protect it)
  • CCPA violations (failure to disclose and protect personal information)
  • GIPA violations (Illinois plaintiffs, genetic data-specific statute)

Attorney Insight: Attorneys handling these claims point to the CCPA and GIPA statutory frameworks as the backbone of damages calculations. Unlike general negligence claims, these statutes allow per-violation statutory damages without requiring proof of specific out-of-pocket loss.


How Did the 23andMe Data Breach Class Action Develop?

The 23andMe data breach class action developed rapidly following the company’s public disclosure in October 2023. Initial reports indicated that user data was appearing for sale on dark web forums. 23andMe confirmed the breach originated from a credential stuffing attack, where bad actors used usernames and passwords stolen from other breached services to access 23andMe accounts.

The attack was amplified by 23andMe’s DNA Relatives feature. Once inside an individual account, attackers could scrape the profile data of that user’s genetic matches, exponentially expanding the reach of each compromised credential.

Plaintiff firms filed the first federal complaints within days of the public disclosure. Those cases were subsequently transferred to California state court, where they consolidated with state-law complaints under the superior court’s jurisdiction.

Class action development timeline:

EventDate
Credential stuffing attack beginsOctober 2023
23andMe confirms breach publiclyOctober 2023
First class action complaints filedOctober through November 2023
Cases consolidated in S.F. Superior CourtEarly 2024
$30M settlement reachedMid-2024
Preliminary settlement approvalSeptember 2024
23andMe files Chapter 11 bankruptcyMarch 2025
Settlement administration / bankruptcy proceedings2025 through 2026

Attorney Insight: Attorneys handling these claims point to the DNA Relatives amplification as a significant liability-expanding fact. Each compromised credential did not expose one person’s data. It exposed the data of every genetic relative linked to that account.


What Data Was Stolen in the 23andMe Breach?

The data stolen in the 23andMe breach falls into two distinct categories, and that distinction matters significantly in litigation. The first category is standard personal identifying information. The second is genetic and health-specific data, which carries higher legal protection under multiple state statutes.

Standard personal data exposed includes names, email addresses, birth years, geographic locations, and profile photos. Genetic and health data exposed includes ancestry composition results, haplogroups, DNA segment data shared with relatives, and in some accounts, health predisposition reports covering disease risk factors.

According to company disclosures, approximately 5.5 million users had their DNA Relatives profile data scraped. An additional 1.4 million users had their family tree information accessed. The combined affected population reached approximately 6.9 million individuals.

Data categories confirmed compromised:

Data CategoryApproximate Users AffectedLegal Sensitivity
DNA Relatives profile data5.5 millionHigh (genetic data statutes)
Family tree information1.4 millionModerate
Ancestry composition resultsSubset of aboveHigh
Health predisposition reportsSubset of aboveVery high (HIPAA-adjacent)
Names, emails, birth yearsBroad overlapStandard
Geographic location dataBroad overlapStandard

Attorney Insight: Attorneys handling these claims point to health predisposition data as the most sensitive category. Exposure of disease risk information creates harms that extend beyond identity theft into employment discrimination, insurance denials, and personal privacy violations that courts treat as categorically different from financial data exposure.

Litigation Watch: The credential stuffing entry point, the DNA Relatives amplification mechanism, and the two-tier nature of the exposed data (personal plus genetic) collectively frame why this breach generated more class action complaints than most consumer data incidents of comparable raw size.


Why Does Genetic Data Exposure Make This Case Unique?

Genetic data exposure makes the 23andMe breach legally distinct from standard consumer data breaches because it triggers a separate layer of statutory protection unavailable in most other breach cases. Unlike payment card data or email addresses, genetic information is regulated by specific statutes in multiple states that create independent causes of action.

The Illinois Genetic Information Privacy Act (GIPA) is the most significant. GIPA prohibits the unauthorized disclosure of genetic information and provides for statutory damages of $2,500 per negligent violation and $15,000 per intentional violation, without requiring proof of actual harm. Illinois plaintiffs in the 23andMe litigation pursued GIPA claims alongside the consolidated California proceeding.

California’s CCPA provides its own enhanced protection for “sensitive personal information,” a category that explicitly includes genetic data. That classification allows California residents to seek damages on a per-violation basis rather than per-incident.

Genetic data statutory frameworks:

StateApplicable StatutePer-Violation DamagesProof of Harm Required
IllinoisGIPA$2,500 (negligent) / $15,000 (intentional)No
CaliforniaCCPA (sensitive data provisions)$100 to $750 per incidentNo
TexasTexas Genetic Privacy ActAG enforcement onlyN/A for private claims
FederalNo comprehensive federal genetic privacy statuteN/AN/A

Attorney Insight: Attorneys handling these claims point to the Illinois GIPA framework as the single most powerful individual damages tool in this litigation. An Illinois resident whose genetic data was exposed may have a standalone GIPA claim worth substantially more than their share of the $30 million class settlement.


Who Qualifies for the 23andMe Data Breach Lawsuit?

Anyone who was a registered 23andMe user before the October 2023 breach and whose personal or genetic data was accessed during the attack may qualify for the class action settlement. This includes users of the DNA Relatives feature and customers whose profiles were scraped even if they did not directly receive a breach notification.

Qualification is based on data exposure, not on whether the individual suffered a downstream financial loss. The settlement class is defined as all U.S. residents who were 23andMe customers and whose personal information was compromised in the breach period.

Employees of 23andMe and certain related parties are excluded from the class. Individuals who previously opted out of any earlier class action related to the breach are also excluded.

Who likely qualifies:

  • Registered 23andMe users with active accounts before October 2023
  • Users who received a breach notification email or letter from 23andMe
  • Users whose DNA Relatives profiles were enabled at the time of the attack
  • Users whose ancestry, health, or profile data appeared in the scraped data sets
  • Family members of account holders whose relative-matching data was accessed

Who does not qualify:

  • Individuals who never created a 23andMe account
  • Individuals who previously filed and resolved an individual claim against 23andMe
  • 23andMe employees and officers
  • Individuals who timely opted out of the settlement class

Attorney Insight: Attorneys handling these claims point to the DNA Relatives feature as expanding the class significantly beyond account holders who directly received notification letters. If your genetic relative was breached and their DNA match data included your profile, your information was accessed even if 23andMe did not directly notify you.


What Are the Full Eligibility Requirements for the 23andMe Claim?

Full eligibility for the 23andMe data breach claim requires meeting three threshold criteria: being a U.S. resident, having been a 23andMe customer before the October 2023 breach, and having personal or genetic information compromised in that breach.

The burden of establishing eligibility rests primarily on the claims administrator’s matching of submitted claim information against 23andMe’s account database. Claimants who received a breach notification letter have a built-in confirmation of their status. Those who did not receive a letter may still qualify based on account records.

Documented out-of-pocket losses related to the breach elevate a claimant into a higher compensation tier. Those losses must be documented and reasonably traceable to the breach.

Eligibility checklist:

  • [ ] U.S. resident at the time of the breach
  • [ ] Active 23andMe account created before October 2023
  • [ ] Personal, genetic, or health data stored in 23andMe systems
  • [ ] Did not previously opt out of the settlement class
  • [ ] Has not already received individual settlement compensation from 23andMe
  • [ ] Can provide account email address or confirmation of account registration

Documentation that strengthens a claim:

  • Breach notification email from 23andMe (preserve the original)
  • 23andMe account registration confirmation emails
  • Records of any unauthorized account access or suspicious activity
  • Documentation of out-of-pocket losses (credit monitoring, ID theft protection costs)

Attorney Insight: Attorneys handling these claims point to the account email address as the primary identifier the claims administrator uses. Claimants who no longer have access to the email linked to their 23andMe account should document their account existence through any available records before submitting.


Did 23andMe Send Data Breach Notifications to Affected Users?

23andMe sent breach notification emails to affected users beginning in December 2023, approximately two months after the credential stuffing attack began in October 2023. That two-month gap became a specific point of legal challenge in multiple complaints.

Under California law, breach notification must occur “expeditiously” after discovery of the breach. Under the California Consumer Privacy Act, companies have 45 days from discovery. The gap between discovery and notification is alleged to have exceeded that threshold for a significant portion of the affected population.

Notification letters confirmed the specific data categories exposed for each individual. Not all affected users received identical notifications. Users whose DNA Relatives data was scraped but who did not have other profile data exposed received different notification language than those with health predisposition data accessed.

Notification timeline:

EventDate
Credential stuffing attack detectedOctober 2023
23andMe public statement acknowledging breachOctober 2023
Individual breach notification emails sentDecember 2023
Notification letters to highest-risk usersDecember 2023 through January 2024
California law notification deadline (45 days)Mid-November 2023 (approximate)

Attorney Insight: Attorneys handling these claims point to the notification delay as an independent basis for enhanced statutory damages under the CCPA’s failure-to-notify provisions, separate from the underlying negligence theory for the breach itself.

Litigation Watch: The notification delay, the GIPA genetic data overlay for Illinois residents, and the DNA Relatives amplification effect collectively make the 23andMe breach legally distinct from standard credential theft cases, and those distinctions directly affect the valuation of individual claims.


What Does It Mean to Opt Out of the 23andMe Class Action?

Opting out of the 23andMe class action means formally removing yourself from the settlement class, which releases the right to receive any payment from the $30 million fund in exchange for preserving the right to file an individual lawsuit against 23andMe.

For most class members, opting out is not the practical choice. Individual data breach claims against a company in bankruptcy carry significant enforcement risk even if a judgment is obtained. The settlement provides a guaranteed, court-supervised recovery pathway.

However, for individuals with substantial documented harm, such as verified identity theft, loss of health insurance, or employment discrimination tied to exposed genetic information, an individual claim may theoretically yield higher recovery than a pro rata share of the settlement fund.

Opt-out considerations:

FactorStay In ClassOpt Out and Sue Individually
Documented harmMinimal to moderateSignificant and traceable
Legal costsNone (contingency model)Personal or attorney-funded
Recovery certaintyHigher (fund exists)Lower (especially in bankruptcy)
Recovery amountLower (pro rata share)Potentially higher if harm is severe
Bankruptcy riskMitigated by settlement approvalFull bankruptcy exposure

Attorney Insight: Attorneys handling these claims point to the bankruptcy filing as making opt-out decisions significantly more consequential than in a solvent-defendant settlement. An individual judgment against a Chapter 11 debtor may be worth less than a confirmed share of a court-approved settlement fund.


What Is the 23andMe Data Breach Settlement?

The 23andMe data breach settlement is a $30 million class action settlement reached in mid-2024 and granted preliminary approval by Hon. Andrew Y.S. Cheng of San Francisco Superior Court in September 2024. It resolves claims brought by approximately 6.9 million affected users whose data was compromised in the October 2023 breach.

The settlement fund covers monetary compensation to class members, attorneys’ fees (expected to be 25 to 33 percent of the fund), claims administration costs, and class representative service awards. What remains after those deductions is distributed on a pro rata basis among valid claimants.

The settlement also includes non-monetary relief. As a condition of approval, 23andMe was required to implement specified data security improvements and provide affected users with access to credit monitoring services.

Settlement structure at a glance:

ComponentDetail
Total settlement fund$30 million
Attorneys’ fees (estimated)$7.5M to $10M (25% to 33%)
Administration costs (estimated)$1M to $2M
Net fund available to claimantsApproximately $18M to $21.5M
Non-monetary reliefSecurity upgrades, credit monitoring
CourtSan Francisco Superior Court
Case numberCGC-23-609906

Attorney Insight: Attorneys handling these claims point to the gap between the $30 million headline figure and the net distributable amount as critical for claimants calibrating their expectations. The $30 million gross figure is not what class members share among themselves.


How Much Is the 23andMe Data Breach Settlement Worth?

The 23andMe data breach settlement is worth $30 million in total. After deducting estimated attorneys’ fees of 25 to 33 percent and claims administration costs, the net fund available for distribution to class members falls in the range of $18 million to $21.5 million.

That net figure is then divided among all valid claimants on a pro rata basis. The number of valid claims submitted determines each person’s share. If 2 million valid claims are submitted against a $20 million net fund, each claimant receives approximately $10. If 200,000 claims are submitted, each claimant receives approximately $100.

Historical data breach settlement claims rates range from roughly 3 to 15 percent of the eligible class. Applied to a 6.9 million person class, that suggests between 207,000 and 1,035,000 valid claims, producing per-claimant estimates in the $20 to $100 range at the low end.

Settlement value scenarios by claims rate:

Claims RateEstimated ClaimantsNet FundPer-Claimant Share
3% (low)~207,000~$20M~$97
7% (moderate)~483,000~$20M~$41
15% (high)~1,035,000~$20M~$19
Documented losses tierVariesSeparate allocation$200 to $2,500+

Attorney Insight: Attorneys handling these claims point to the participation rate as the single variable most likely to determine individual payouts. Lower participation produces higher individual payments. The claims window duration and publicity directly affect how many valid claims are filed.

Litigation Watch: The $30 million settlement figure, the attorneys’ fee deduction, and the pro rata distribution model mean most ordinary class members will receive less than $100 unless the claims rate is unusually low or their documented losses qualify them for enhanced compensation tiers.


What Is the Estimated Settlement Payout Per Person?

The estimated settlement payout per person in the 23andMe case ranges from $50 to $400 for ordinary class members with no documented out-of-pocket losses. That range reflects variable assumptions about final participation rates and the court’s approval of attorneys’ fees.

Claimants with documented losses, such as credit monitoring expenses, identity theft remediation costs, or time spent on fraud-related activity, are eligible for a higher tier. The settlement structure allocates a separate pool or uses a tiered claims process to address those enhanced claims, typically producing payouts in the $500 to $2,500 range.

Individuals with severe documented harm, such as confirmed identity theft or verified employment or insurance consequences from genetic data exposure, may submit documentation to claim above the enhanced tier, subject to individual claims review.

Estimated per-person payout by claim type:

Claim TypeEstimated PayoutRequired Documentation
Ordinary class member$50 to $400Account registration / notification letter
Documented out-of-pocket losses$500 to $2,500Receipts, fraud reports, credit freeze records
Severe harm (ID theft, insurance)$2,500 to $5,000+Police report, insurer records, loss documentation
Illinois GIPA claimant (individual suit)Up to $15,000 per violationSeparate individual filing required

Attorney Insight: Attorneys handling these claims point to the Illinois GIPA pathway as a separate track entirely. Illinois residents should consult a privacy attorney about whether a GIPA individual claim, filed independently of the class settlement, produces a better outcome than remaining in the class.


How Much Money Can You Actually Expect to Receive?

What you can actually expect to receive from the 23andMe settlement depends on four variables: the total number of valid claims filed, the court-approved attorneys’ fee percentage, the claims tier your submission qualifies for, and how the Chapter 11 bankruptcy proceeding intersects with the settlement fund.

The bankruptcy filing is the most consequential variable. Settlement funds approved before a bankruptcy filing may be treated as a pre-petition obligation or as a separately administered trust. The specific treatment of the $30 million fund within 23andMe’s Chapter 11 proceeding was being actively litigated in 2025 and carries through into 2026.

If the court confirms that the settlement fund is held in trust separate from the bankruptcy estate, class members should receive their distributions on the court-approved timeline. If the fund is treated as a general unsecured creditor obligation, recovery may be substantially reduced or delayed.

Realistic recovery expectations:

  • Ordinary class members in a best-case scenario: $100 to $400
  • Ordinary class members in a worst-case bankruptcy scenario: $10 to $50 or delayed distribution
  • Documented-loss claimants in best case: $500 to $2,500
  • Illinois GIPA claimants (individual): Up to $15,000 per violation if pursued separately

Attorney Insight: Attorneys handling these claims point to the bankruptcy trustee’s treatment of the settlement fund as the most pressing legal question for affected users in 2026. The answer to that question does more to determine actual recovery than any other single factor.


What Is the Filing Deadline for the 23andMe Data Breach Claim?

The filing deadline for the 23andMe data breach claim was set as part of the preliminary settlement approval process in September 2024. As of early 2026, the specific claims deadline and any extensions related to the bankruptcy proceeding should be confirmed directly through the official settlement administrator.

Bankruptcy proceedings frequently toll or extend class action claims deadlines. When a company files Chapter 11, an automatic stay applies to most legal proceedings. The settlement claims process may have been paused, extended, or restructured as part of the bankruptcy plan of reorganization.

State law limitations periods remain independently relevant. California’s CCPA provides a four-year limitations period from the date of discovery. Illinois GIPA claims carry a five-year limitations period. Those windows began running from December 2023 for most notified claimants.

Key deadlines and windows:

Deadline TypeApplicable WindowNotes
Settlement claims deadline (original)Set at preliminary approval, Sept. 2024Verify current status via claims administrator
California CCPA limitations period4 years from discovery (by Dec. 2027)For individual CCPA claims outside the settlement
Illinois GIPA limitations period5 years from discovery (by Dec. 2028)For individual GIPA claims
Opt-out deadlineSet at preliminary approvalExpired for most claimants
Bankruptcy proof of claim deadlineSet by bankruptcy courtCheck Northern District of California bankruptcy docket

Attorney Insight: Attorneys handling these claims point to the bankruptcy proof of claim deadline as a separate filing requirement that affected users must not conflate with the class action claims process. Missing the bankruptcy creditor deadline may permanently bar recovery through that channel.

Litigation Watch: The intersection of the September 2024 preliminary settlement approval and the March 2025 bankruptcy filing created a procedural landscape that requires claimants to monitor both the San Francisco Superior Court docket and the Northern District of California bankruptcy court proceedings simultaneously.


How Do You Submit the 23andMe Data Breach Claim Form?

Submitting the 23andMe data breach claim form requires accessing the official settlement claims portal administered by the court-appointed claims administrator. That portal collects your account information, verifies your identity against 23andMe’s user database, and processes your claim tier based on the documentation you provide.

Given the bankruptcy filing, the status of the online claims portal should be verified before submitting. The settlement administrator may have suspended or restructured the filing process pending bankruptcy court direction.

Steps for submitting a claim:

  • Locate the official 23andMe settlement claims website through a verified court notice or the San Francisco Superior Court docket for Case No. CGC-23-609906
  • Submit your 23andMe account email address for identity verification
  • Indicate the tier of claim you are submitting (ordinary class member or documented-loss tier)
  • Upload documentation for enhanced claims: receipts, fraud reports, credit statements
  • Retain your claim submission confirmation number
  • Monitor the claims administrator’s communication channel for processing updates

Attorney Insight: Attorneys handling these claims point to the importance of not using third-party “claims filing services” that charge fees. The official claims process is free. Any service charging to file a data breach claim on your behalf is not affiliated with the court-approved process.


How Do You Join the 23andMe Data Breach Lawsuit?

Joining the 23andMe data breach lawsuit as an ordinary class member requires no affirmative legal action. If the settlement class was certified and you meet the eligibility criteria, you are automatically included unless you previously opted out.

Active participation, meaning submitting a claim form to receive payment, is what most affected users need to do. That requires filing through the official settlement claims process during the active claims window.

For individuals considering a more active legal role, such as objecting to the settlement terms or pursuing a separate individual claim, retaining a data breach attorney before the relevant deadlines is necessary.

Your options as a potential class member:

OptionAction RequiredBest For
Receive settlement paymentFile a claim formMost class members
Object to settlement termsFile written objection with courtThose who believe terms are inadequate
Opt out and sue individuallySubmit opt-out form before deadlineThose with severe documented harm
File GIPA claim individually (Illinois)Retain attorney for separate filingIllinois residents with genetic data exposure
File bankruptcy proof of claimSubmit to N.D. Cal. bankruptcy courtThose seeking direct creditor status

Attorney Insight: Attorneys handling these claims point to the bankruptcy proof of claim filing as an action that most affected users overlook. Even if you filed a class action claim form, submitting a separate proof of claim in the bankruptcy proceeding may preserve an independent recovery pathway.


What Type of Attorney Handles the 23andMe Data Breach Case?

Data breach class actions like the 23andMe case are handled by plaintiff-side class action attorneys who specialize in privacy litigation, consumer data protection, and cybersecurity negligence. These attorneys typically operate on contingency fee arrangements, meaning no fees unless there is a recovery.

For individual claimants with significant documented harm, a privacy attorney with specific experience in genetic data law and California CCPA or Illinois GIPA litigation is the appropriate specialist. These cases involve statutory frameworks that general personal injury attorneys are not equipped to handle.

For Illinois residents pursuing individual GIPA claims, the attorney must have specific familiarity with GIPA’s per-violation damages structure and the Illinois Supreme Court’s jurisprudence on biometric and genetic privacy standing.

Attorney types and their roles:

Attorney TypeRoleBest For
Plaintiff class action attorneyFiled and manages consolidated class claimsGeneral class membership and settlement oversight
Privacy / data breach litigation specialistHandles individual CCPA and GIPA claimsClaimants with significant individual damages
Bankruptcy creditor attorneyNavigates Chapter 11 proof of claim processClaimants seeking direct bankruptcy creditor status
Consumer protection attorneyPursues state-law statutory remediesState-specific statutory claims outside the settlement

Attorney Insight: Attorneys handling these claims point to the bankruptcy dimension as requiring a different specialty than the underlying data breach litigation. A privacy attorney and a bankruptcy creditor attorney may both be needed for claimants pursuing all available recovery pathways.


How Does 23andMe’s Bankruptcy Affect the Settlement?

23andMe’s Chapter 11 bankruptcy filing in March 2025 introduced significant uncertainty into the settlement distribution process. In a standard class action settlement, funds are deposited into a court-approved trust and distributed according to the settlement agreement timeline. Bankruptcy complicates that model.

When a company files for Chapter 11, an automatic stay halts most collection and payment actions against the debtor. Whether the $30 million settlement fund, if already deposited into a trust before the bankruptcy filing, is protected from the automatic stay depends on the specific trust structure and when the deposit occurred.

If the fund was fully deposited and held in trust before March 2025, it may be insulated from the bankruptcy estate and distributed according to the superior court’s schedule. If the fund was not fully funded prior to bankruptcy, the remaining obligation becomes a bankruptcy estate claim, subject to creditor priority rules.

Bankruptcy impact analysis:

ScenarioImpact on Settlement Recovery
Fund fully in trust before bankruptcyDistributions proceed; claimants likely protected
Fund partially funded at bankruptcyRemaining balance treated as bankruptcy claim
23andMe reorganizes and emergesSettlement distributions may resume under reorganization plan
23andMe converts to Chapter 7 (liquidation)Class claimants become general unsecured creditors; recovery severely reduced
Court approves separate trust for settlementClaimants protected from general bankruptcy pool

Attorney Insight: Attorneys handling these claims point to the Chapter 7 conversion risk as the scenario that most dramatically reduces class member recovery. Monitoring the Northern District of California bankruptcy docket for conversion motions is the single most important action sophisticated claimants can take in 2026.

Litigation Watch: The bankruptcy filing is not a reason to abandon a claim. It is a reason to file a proof of claim in the bankruptcy proceeding as well as completing the class action claims form, preserving recovery rights on both tracks simultaneously.


Where Does the 23andMe Data Breach Lawsuit Stand in 2026?

In 2026, the 23andMe data breach lawsuit occupies two parallel legal forums simultaneously. The class action settlement proceedings remain before Hon. Andrew Y.S. Cheng in San Francisco Superior Court under Case No. CGC-23-609906. The bankruptcy case proceeds in the U.S. Bankruptcy Court for the Northern District of California.

The settlement’s final approval status and fund disbursement timeline are directly dependent on how the bankruptcy court treats the pre-existing settlement obligation. The company’s reorganization plan, which is being formulated in 2025 and 2026, will specify how class action settlement claims are classified and paid.

Claimants who filed claims during the open window and also filed proofs of claim in the bankruptcy proceeding have the strongest dual-track recovery position.

2026 status summary:

Legal ForumMatterCurrent Status
San Francisco Superior Court (CGC-23-609906)Class action settlementFinal approval proceedings ongoing
U.S. Bankruptcy Court, N.D. CaliforniaChapter 11 reorganizationActive; plan of reorganization in development
Illinois state courtsIndividual GIPA claimsActive for individually filed cases
Settlement claims portalClaims administrationStatus subject to bankruptcy court direction

Attorney Insight: Attorneys handling these claims point to 2026 as a year where monitoring both court dockets is essential. Developments in the bankruptcy proceeding will directly and immediately affect what class members receive and when.


Frequently Asked Questions

Is the 23andMe data breach settlement still accepting claims in 2026?

The claims process status in 2026 depends on the interaction between the settlement and the March 2025 bankruptcy filing.
Claimants should verify the current status of the official claims portal through the San Francisco Superior Court docket for Case No. CGC-23-609906.
The bankruptcy automatic stay may have extended or paused the standard claims window.

How much will each person receive from the 23andMe settlement?

Most ordinary class members are estimated to receive between $50 and $400, depending on the total number of valid claims filed and attorneys’ fee deductions from the $30 million fund.
Claimants with documented out-of-pocket losses may qualify for enhanced payments in the $500 to $2,500 range.
The bankruptcy proceedings add uncertainty to both the timing and the final per-person amounts.

Does the 23andMe bankruptcy mean claimants won’t get paid?

Not necessarily. Whether claimants are paid depends on whether the $30 million settlement fund was held in a protected trust before the bankruptcy filing.
If the fund is insulated from the bankruptcy estate, distributions may proceed on the settlement timeline.
Claimants should file proofs of claim in the bankruptcy proceeding as a protective measure, preserving rights regardless of how the court ultimately classifies the settlement obligation.

What specific data was exposed in the 23andMe breach?

The breach exposed DNA Relatives profile data for approximately 5.5 million users and family tree information for 1.4 million additional users.
Health predisposition reports, ancestry composition data, names, email addresses, birth years, and geographic locations were also accessed for varying subsets of the affected population.
The credential stuffing attack method meant that the scope of exposure depended on which accounts were compromised and what features those account holders had enabled.

Do Illinois residents have a stronger claim than other states?

Yes. Illinois residents whose genetic data was exposed have a separate cause of action under the Illinois Genetic Information Privacy Act (GIPA), which allows per-violation statutory damages of $2,500 to $15,000 without requiring proof of actual harm.
That individual GIPA claim is separate from the class action settlement and must be filed independently.
Illinois residents should consult a privacy attorney about whether pursuing an individual GIPA claim produces a better outcome than their pro rata share of the class settlement.

What type of lawyer should I contact about the 23andMe data breach lawsuit?

A plaintiff-side class action attorney specializing in privacy litigation or consumer data protection is the appropriate starting point for most affected users.
Illinois residents with genetic data exposure should specifically seek an attorney with GIPA litigation experience.
Claimants with significant documented harm should consult a privacy attorney before the claims window closes to evaluate whether individual representation outperforms automatic class participation.


Closing

The 23andMe data breach lawsuit is not a simple file-and-receive case. The $30 million settlement, the 6.9 million affected users, the genetic data exposure, and the March 2025 bankruptcy filing make this one of the more procedurally complex consumer class actions currently before California courts.

For anyone affected, the immediate priorities are verifying current claims portal status, preserving all documentation, and filing a proof of claim in the bankruptcy proceeding if that window remains open.

If you are an Illinois resident, experienced documented financial harm, or had health predisposition data exposed, a privacy attorney consultation before any deadline passes is the concrete next step. These attorneys handle data breach claims on contingency and can assess whether the class settlement or an individual recovery pathway serves you better.



Author

  • Editorial

    Faiq Nawaz is an attorney in Houston, TX. His practice spans criminal defense, family law, and business matters, with a practical, client-first approach. He focuses on clear options, realistic timelines, and steady communication from intake to resolution.

Sign In

Register

Reset Password

Please enter your username or email address, you will receive a link to create a new password via email.