Skip to main content

Michigan settles bankruptcy claims against 23AndMe over genetic data breach

Data breach compromised nearly 163,000 Michiganders

23andMe believes the hackers accessed certain accounts when users recycled login credentials (KSAT)

Michigan is slated to receive $436,605 as part of a recent settlement awarded to 42 states in connection to 23andMe’s 2023 data breach compromising the genetic data of 6.9 million customers worldwide and nearly 163,000 Michiganders.

The direct-to-consumer genetic testing company announced the breach in October 2023, saying it exposed a wide range of data about 23andMe customers — including in some cases genetic ancestry information — which were subsequently published for sale on the dark web.

Recommended Videos


The settlement, filed on Tuesday in U.S. Bankruptcy Court for the Eastern District of Missouri, awards $150 million in allowed claims for states.

Still, according to Michigan Attorney General Dana Nessel, only $18 million is expected to be paid out due to limited funds after the company filed for Chapter 11 bankruptcy in March 2025. 23andMe also agreed to a $46.75 million class-action settlement in the bankruptcy to provide relief to affected U.S. consumers who submitted claims in the case, which closed in February of this year, Nessel said.

Read more: 23andMe has filed for bankruptcy. What does this mean for your DNA data privacy?

“Protecting the personal information of Michigan residents has been one of my top priorities during my time in office, and we will not stand by when companies fail to safeguard consumer data,” said Nessel in a news release announcing the settlement. “I am proud to have worked with this coalition to secure this settlement. We remain committed to defending the privacy of Michiganders and ensuring that corporations that fail their customers are held accountable.”

23andMe reportedly learned about the breach months after millions of customers’ personal information was made publicly available. According to Nessel, the company first denied the breach and then, once confirmed, blamed consumers for how their accounts were set up or how passwords were used.

Nessel called the company’s denial “particularly egregious” considering its partnership with MyHeritage, which — years prior — suffered a data breach that exposed the passwords of 92 million accounts.

In the case of 23andMe, the latest settlement cites multiple failures by the company that resulted in unreasonable data security practices, including failure to monitor, identify and remediate known vulnerabilities and failing to employ safeguard against attacks.

As part of the bankruptcy settlement, 23andMe’s consumer data was sold to TTAM Research Institute, a nonprofit formed by 23andMe founder and former CEO Anne Wojcicki, now registered as 23andMe Research Institute. The terms of that agreement were designed to ensure that TTAM be a safer custodian of the genetic data going forward.

Other participating states in the settlement include Alaska, Alabama, Arkansas, Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Minnesota, North Carolina, North Dakota, New Hampshire, New Jersey, New Mexico, New York, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and West Virginia.