In Re: 23andMe, Inc. Customer Data Security Breach Litigation
29 comments
·December 1, 2025bsimpson
I've had 23andme since ~2012. Haven't received a single email from/about 23andmedatasettlement.com
toomuchtodo
Related:
DNA testing firm 23andMe fined £2.3m by UK regulator for 2023 data hack - https://news.ycombinator.com/item?id=44300220 - June 2025 (1 comment)
23andMe tells victims it's their fault that their data was breached - https://news.ycombinator.com/item?id=38856412 - January 2024 (368 comments)
zdw
Can I file a claim if I'm related to folks who shared their (and by extension, my) DNA with this company?
SoftTalker
This will basically be everyone in the world. Could be the largest class action ever?
2muchcoffeeman
Oprah spruiked 23andMe.
Can people sue Oprah?
iwontberude
Since when is spruiking a liability?
windexh8er
I may actually try my hand in conciliation court against them on this one. I received a test kits back around 2015 from a family member, but was disgusted at the idea that there was no possible way they 1) wouldn't go under and sell my data 2) be breached. I feel like these sort of outcomes for these types of services are very obvious as highly likely to anyone who works in proximity to tech, and especially startups.
Anyway, I never submitted the test. But I know for a fact that family has. It's really annoying to that others can make these sort of linked decisions for you - especially as we are now acutely aware that this type of data can, will and I'm sure is being used in ways that basically nobody would consent to.
ilamont
When this blew up, the breach had been ongoing for months and 23andme had no clue. The company immediately blamed customers for sharing passwords, and strenuously avoided any mention of admitting it was in fact a hack.
https://techcrunch.com/2023/10/10/23andme-resets-user-passwo...
The hack was yet another failure in a long list under the CEO: Failed execution on the drug development strategy, lying about growth, pushing out the cofounder, never making a profit, FDA warning letters, ditching its genealogy tools, screwing over investors, screwing over the board, and so on.
The company she bankrupted was about to be sold to Regeneron - probably the best option for everyone - when her "nonprofit" swooped in with a high bid.
https://www.medtechdive.com/news/anne-wojcicki-buy-23andme-b...
coolThingsFirst
2 measly SQL injections and down goes 23andMe.
arnonejoe
Give each victim 100 shares of company stock. You lose your company to the people that you hurt. Seems fair.
tomrod
That's just bankruptcy with extra steps. You're giving an asset which has no value immediately after the action.
SilverElfin
> Up to $10,000 for Extraordinary Claims; > Up to $165 for Health Information Claims; > An estimated $100 for Statutory Cash Claims; and > 5 years of Privacy & Medical Shield + Genetic Monitoring
None of these make the victims whole. The typical customer would rather pay $1000 to not have their private medical records stolen. Giving them just $165 or a few years of monitoring is insulting. What does that monitoring even achieve?
toomuchtodo
There is no way to make victims whole for this negligence; what is on offer is arguably the best that can done for a failure to properly implement customer identity and access management systems and processes for personal genomic user data.
(disclosure: I am a member of the class, as is most of my family, no other affiliation)
uoaei
This kind of fatalism is the antithesis of proper legal thought and practice as it pertains to real harm.
Precedent is everything, the members of the class who drag down expectations for the rest of us are actively committing harm by denying a resolution to our collective claims. Solidarity is the sole responsibility of a class of people.
toomuchtodo
I will allow my past comments to speak for themselves.
https://news.ycombinator.com/item?id=38857170
https://news.ycombinator.com/item?id=38857228
https://news.ycombinator.com/item?id=38857476
> I will eat crow if it comes to light that this was entirely unavoidable on 23andme's part. (me)
> You won’t have to. They could have forced MFA and been done with it. That doesn’t make it their fault that they didn’t. It just means they could have done better and assumed that at least some users (read: most) are ignorant about best practices with sensitive data. It’s not something they would be legally culpable for, though.
This class action and the £2.3M extracted by a UK regulator sure feels like legal culpability. There must be consequences, otherwise nothing will change. I accept some action vs no action, when perfect is out of reach. We are building systems, requiring constant tuning and improvement.
Closing the loop on this provides an immutable case study on this topic.
(i manage and am responsible for systems that protect enterprise and customer data for millions of customers at a fintech, I take this work seriously, because someone should; if you want better behavior, we need better legal tools to go after corporations for this)
delichon
That might matter if 23andMe still had deep pockets, rather than being a bankrupt shell.
zeroonetwothree
You are free to opt out of the settlement and pursue your own claim.
SilverElfin
This is true of all class actions. But it’s not helpful that the only recourse for victims is to lose enormous amounts of money and time to get justice. This is a loophole that must be fixed.
null
If you type something into the computer you should assume everyone in the world will eventually be able to see it.
If you send your DNA to a company in the mail you should assume everyone in the world will eventually be able to see it.