San Francisco, CA – Genetics testing company 23andMe has agreed to pay $30 million and provide three years of security monitoring to settle a lawsuit stemming from a data breach that exposed the personal information of millions of customers last year.
The settlement, which requires court approval, resolves accusations that 23andMe failed to adequately protect customer data and did not promptly notify individuals whose information was compromised.
The breach, which occurred between April and September 2023, affected nearly half of 23andMe’s customer base at the time. The hackers gained access to sensitive information, including DNA data, family tree details, and contact information.
As part of the settlement, 23andMe will also offer customers the option to enroll in a three-year program called Privacy & Medical Shield + Genetic Monitoring. Additionally, the company will provide cash payments to individuals whose data was compromised.
In a statement, 23andMe said it believes the settlement is in the best interest of its customers and that the majority of the costs will be covered by cyber insurance.
The lawsuit, filed in federal court in San Francisco, alleged that 23andMe had failed to implement adequate security measures to protect customer data, despite being aware of the risks associated with storing such sensitive information.
The settlement comes at a time when 23andMe is facing financial challenges. The company has reported significant losses and has been struggling to maintain its stock price.
The resolution of this lawsuit is expected to provide some relief for 23andMe, but it also highlights the ongoing challenges faced by companies in protecting customer data in the digital age.