23andMe settles data breach lawsuit for $30 million

23andMe will pay $30 million and provide three years of security monitoring to settle a lawsuit accusing the genetic testing company of failing to protect the privacy of 6.9 million customers whose personal information was exposed in following a data breach last year.

The settlement also resolves allegations that 23andMe failed to tell customers of Chinese and Ashkenazi Jewish descent that the hacker appeared to have specifically targeted them and posted their information for sale on the dark web.

A preliminary settlement of the proposed class action was filed late Thursday in federal court in San Francisco and requires a judge’s approval.

It includes cash payments for customers whose data has been compromised and allows customers to enroll for three years in a program known as Privacy & Medical Shield + Genetic Monitoring.

Related: 23andMe is facing a class action lawsuit following the data breach

In a court filing on Friday, 23andMe called the settlement fair, appropriate and reasonable.

Citing its “highly uncertain financial condition,” 23andMe also asked the judge to halt arbitration by tens of thousands of class members until the settlement is approved or they opt out.

In a statement, 23andMe said it believes the settlement is in the best interest of its customers. About $25 million of the cost is also expected to be covered by cyber insurance.

The breach began around April 2023 and lasted about five months, affecting nearly half of the 14.1 million customers in 23andMe’s database at the time. It was revealed by 23andMe in an October 2023 blog post.

According to the company, the hacker accessed 5.5 million DNA Relatives profiles, which allow customers to share information with each other, and accessed information for another 1.4 million customers who used a feature called Family Tree.

Lawyers for the plaintiffs said the settlement addressed their clients’ main claims and reflected significant risks of further litigation given 23andMe’s “dire” finances.

The South San Francisco-based company lost $69.4 million on revenue of $40.4 million in the quarter ended June 30.

Co-founder and chief executive Anne Wojcicki tried to take 23andMe private three years after it went public at $10 a share. Its shares have traded below $1 since mid-December.

Plaintiffs’ attorneys can seek legal fees of up to 25% of the settlement amount.

The case is In re 23andMe Inc Customer Data Security Breach Litigation, US District Court, Northern District of California, No. 24-md-03098.

TOPICS
Cyber ​​processes