ATLANTA, GA – Georgia Attorney General Chris Carr today announced that his office has joined with 41 other attorneys general in reaching a settlement with the bankruptcy trustee for 23andMe. This settlement resolves allegations stemming from a 2023 breach that compromised the genetic data of 6.9 million customers worldwide and includes $150 million in allowed claims for states. Due to the finite amount of funds in the bankruptcy estate and numerous other claims, recovery is limited to $18 million but will be paid out of available bankruptcy funds immediately. Of the $18 million, Georgia will receive $452,232.00. 23andMe also agreed to a $46.75 million class-action settlement in the bankruptcy to provide relief to affected U.S. consumers who submitted claims by Feb. 17, 2026.

In October 2023, direct-to-consumer genetic testing company 23andMe announced that it had discovered a data breach in which 6.9 million consumers were affected, including 171,125 in Georgia. This breach exposed a wide range of data about 23andMe customers, including genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web. 

23andMe learned about the breach months after impacted personal information was publicly available. 23andMe first denied a breach and then, once it confirmed the breach, blamed consumers for how their accounts were set up or how passwords were used. 23andMe initially accepted no responsibility for the credential stuffing breach, which was particularly egregious considering 23andMe’s partnership with MyHeritage, which itself was compromised years prior to the breach, exposing thousands of credentials shared between the websites. 

In the immediate aftermath of the data breach, the attorneys general launched a multistate investigation and found that 23andMe engaged in unreasonable data security practices, including, but not limited to: 

  • Failing to employ safeguards against credential stuffing attacks, including comparing passwords against blocklists of known breached passwords or requiring multifactor authentication;  
  • Failing to implement appropriate rate limiting or intrusion prevention; 
  • Failing to implement logging and monitoring or other tools likely to detect a data breach; 
  • Failing to appropriately investigate and/or address unusual login patterns, including, for example, a massive spike in login attempts; 
  • Failing to remediate known vulnerabilities; and
  • Failing to properly review and test design features.

In March 2025, 23andMe filed for bankruptcy protection, and states subsequently filed claims related to the data breach investigation. As part of the bankruptcy proceedings, the assets – notably 23andMe’s consumer data – were sold to TTAM Research Institute, a non-profit formed by 23andMe founder and former CEO Anne Wojcicki. The terms of the sale included many information and data security requirements that likely would have been included in a settlement with 23andMe had it not filed for bankruptcy. Such terms included enhanced data security requirements, appropriate risk analysis, the addition of an Advisory Board, agreeing to be bound by comprehensive privacy laws without exception, and continuing to offer consumer deletion rights. These terms will make sure that TTAM Research Institute, now reregistered as 23andMe Research Institute, will be a safer custodian of genetic data moving forward.   

Carr joined the attorneys general of Alaska, Alabama, Arkansas, Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Michigan, Minnesota, North Carolina, North Dakota, New Hampshire, New Jersey, New Mexico, New York, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and West Virginia in today’s settlement.   

Tips and Information

To delete your genetic data from 23andMe:

  • Go to 23andMe.com and sign in to your account.
  • Click on your profile in the upper right-hand corner of the site, then click “Settings.”
  • Scroll to the section at the very bottom of the page called “23andMe Data” and click the oval button that says, “View.”
  • Check the boxes of any data you would like to download and click “Request Download.” This step is optional and can take up to 30 days. You can continue with the following steps while you wait.
  • Scroll to the bottom of the page and click the red button that says, “Permanently Delete Data.”
  • You will receive an email with the subject line “23andMe Delete Account Request.” Open it, and click the button that says, “Permanently Delete All Records.” Your data will not be deleted unless you complete this step.

For additional information on how to delete your 23andMe account, visit the following page on the company’s website: Requesting 23andMe Account Closure.

For additional tips on how to protect your personal information and reduce the risk of identity theft, visit the Attorney General’s Consumer Protection Division website.

Contact

Communications Director Kara (Richardson) Murray

Contact

Communications Specialist Lauren Read