Judge Approves $46.75 Million Settlement for 23andMe Data Breach Victims
San Francisco, Tuesday, 7 July 2026.
On Tuesday, a bankruptcy judge approved a $46.75 million settlement for 23andMe data breach victims, resolving claims against the genomics firm following its March 2025 bankruptcy.
Breaking Down the Settlement Structure
U.S. Bankruptcy Judge Brian Walsh, presiding in St. Louis, ruled on Tuesday, July 7, 2026, that the $46.75 million agreement is fair, equitable, and serves the best interests of the trust managed by the company’s bankruptcy administrator [2][4]. However, the net new funds to be distributed will be lower than the headline figure. Because $14.29 million has already been disbursed in connection with the breach, the actual additional payout to the settlement trust will be $32.46 million [2], which represents the net difference of 32.46 million. These funds are designated to cover claimant payouts, legal fees, and ongoing data monitoring services [1].
The Mechanics of the Breach
The origins of this legal battle trace back to a massive 2023 cyber incident that compromised the sensitive genetic and personal information of approximately 6.9 million customers [2][7]. Hackers successfully breached the system by utilizing stolen passwords to compromise user accounts, subsequently harvesting wider family and profile data through the platform’s “DNA Relatives” feature [5]. The resulting class-action litigation alleged that the genomics firm failed to maintain adequate cybersecurity practices to prevent such an intrusion, which initially led to a tentative $30 million settlement agreement before the company’s financial restructuring [3][5][7].
Bankruptcy and Corporate Liquidation
The financial fallout from the breach proved catastrophic for the Palo Alto, California-based company [2]. Legally operating under the name Chrome Holding Co (formerly 23andMe Holding Co, trading under the ticker MEHCQ) [6], the firm filed for Chapter 11 bankruptcy protection on March 23, 2025 [2][6]. In its filings, the company pointed directly to the compounding pressures of the data breach, the ensuing deluge of class-action lawsuits, heightened market competition, and a broader decline in consumer demand for genetic testing kits [2].
Winding Down Public Operations
To resolve its debts, the company underwent a court-supervised Section 363 asset sale [6]. In July 2025, the nonprofit TTAM Research Institute (which has since been renamed the 23andMe Research Institute), controlled by 23andMe co-founder Anne Wojcicki, acquired the company’s operational assets—including its Personal Genome Service and Lemonaid Health—for $305 million [2][6]. Consequently, Chrome Holding Co has proceeded with winding down its affairs, announcing on July 6, 2026, that it would file Form 25 with the SEC to formally delist its suspended shares from the Nasdaq [6]. Under the confirmed bankruptcy plan, all outstanding Class A and Class B common stock will be canceled, leaving former equity holders with only residual interests in a plan administration trust [6].
Regulatory Backlash and Future Privacy Commitments
While the bankruptcy court has greenlit the class-action settlement, Chrome Holding Co still faces severe regulatory pressure. California Attorney General Rob Bonta is actively pursuing a lawsuit against the company in San Francisco Superior Court, accusing executives of ignoring early warnings of system vulnerability and downplaying the true severity of the breach [2]. Bonta is seeking millions of dollars in civil penalties [2]. Although the bankruptcy administrator has moved to block this state-level action, Judge Walsh has yet to rule on the motion [2]. Bonta argued in a June 6 filing that bankruptcy proceedings should not serve as “a haven for wrongdoers” or strip state courts of their enforcement jurisdiction [2].
Preserving Privacy in Perpetuity
Despite the corporate dissolution of Chrome Holding Co, the underlying consumer genetic services continue to operate under the newly formed 23andMe Research Institute [6]. As a condition of the asset acquisition, the nonprofit entity has committed to upholding 23andMe’s original privacy policies in perpetuity [6]. This includes strictly adhering to consumer requests for data deletion, maintaining research opt-out protocols, and establishing an independent consumer privacy advisory board to oversee ongoing data security [6].
Sources
- mezha.net
- srnnews.com
- www.facebook.com
- www.gurufocus.com
- www.facebook.com
- www.stocktitan.net
- www.ctvnews.ca