DEADLINE: Tonight at 11:59 PM Central Time. If you were a 23andMe customer between May and October 2023 and received a breach notice, you can claim up to $10,000 for documented identity theft expenses, $165 if your health data was accessed, or about $100 in statutory damages (Alaska, California, Illinois, Oregon residents). File at 23andMeDataSettlement.com. The company went bankrupt and got bought out, but the settlement fund survived.

What Happened

In October 2023, a hacker named “Golem” broke into 23andMe using credential stuffing, trying username/password combinations leaked from other breaches. About 14,000 accounts fell because users reused passwords and didn’t enable two-factor authentication [1].

That 14,000 became 6.9 million.

The DNA Relatives feature let hackers scrape data from anyone connected to those 14,000 compromised accounts. Your cousin uses a bad password? Your genetic data gets stolen too. That’s how 5.5 million users had their information exposed without their accounts ever being directly accessed [1][2].

What they got: names, birth years, locations, family surnames, grandparents’ birthplaces, ethnicity estimates, and genetic health information. The kind of data that can’t be changed. The kind that identifies your entire family tree [2].

What You Can Claim

The settlement offers three types of compensation:

Extraordinary Claims: Up to $10,000
If you can document out-of-pocket costs from identity theft, fraud, or related expenses. This includes credit monitoring you paid for, money spent fixing fraudulent accounts, mental health counseling, or security services. You’ll need receipts and documentation.

Health Information Claims: Up to $165
If your health data was specifically accessed in the breach. Check your breach notification from 23andMe; it should specify whether health information was included.

Statutory Cash Claims: Around $100
For residents of Alaska, California, Illinois, or Oregon only. These states have privacy laws that trigger automatic damages for certain data breaches. No documentation needed beyond proof of residency.

Everyone Gets: Five years of Privacy & Medical Shield plus genetic monitoring from Cyberscout, valued at roughly $1,875. You get this automatically if you were notified of the breach, even if you don’t file for cash [3].

How to File

Step 1: Go to the Settlement Site

Visit 23andMeDataSettlement.com. This is the official site. Don’t Google and click random links; settlement scams are everywhere.

Step 2: Find Your Notice

You should have received an email or letter from 23andMe about the breach. It contains a Class Member ID. If you can’t find it, the site has a lookup tool.

Step 3: Choose Your Claim Type

Select whether you’re filing for extraordinary damages ($10K max with proof), health information ($165), or statutory damages ($100, state-specific).

Step 4: Submit Before Midnight CT

Online forms must be submitted by 11:59 PM Central Time tonight. If mailing, postmark by February 17.

The Catch

23andMe filed for bankruptcy in March 2025 [4]. The company that collected your DNA went from a $6 billion valuation to Chapter 11.

The settlement survived. A bankruptcy judge approved transferring the obligations to a new entity called TTAM Research Institute, a nonprofit run by 23andMe co-founder Anne Wojcicki. She paid $305 million for what remained of the company, including the genetic database [5].

But here’s the fine print: settlement payments won’t be distributed until “bankruptcy reconciliation and appeals conclude.” The administrator says this “is likely to take considerable time” [3].

Translation: File today. Get paid… eventually.

The settlement fund ranges from $30-50 million. If too many people file, individual payments may be reduced proportionally. File anyway. The monitoring services kick in immediately.

The Bigger Picture

Twenty-seven states and D.C. sued to block 23andMe from selling genetic data without consent [6]. They lost. The data stayed with the company through bankruptcy and got transferred to the new owner.

Federal law does almost nothing to protect genetic information given to private companies. HIPAA doesn’t cover direct-to-consumer DNA testing. GINA (the Genetic Information Nondiscrimination Act) only prevents employers and insurers from discriminating based on genetics; it doesn’t stop your DNA from being sold as a corporate asset [4].

Your genetic code is the one password you can never change. 23andMe proved it can be stolen. The bankruptcy proved it can be sold. This settlement is your only compensation.

Deadline Tonight

File at 23andMeDataSettlement.com before 11:59 PM Central Time on February 17, 2026.

If you received your first notice on January 5, 2026, you have until March 1, 2026; check your letter [3].

If you do nothing: you forfeit cash benefits but still get enrolled in the monitoring service. But why leave money on the table?

References

  1. HIPAA Journal: 6.9 Million 23andMe Users Affected by Data Breach
  2. Wikipedia: 23andMe Data Leak
  3. 23andMe Data Breach Settlement Official Site
  4. NPR: 23andMe is filing for bankruptcy. Here’s what it means for your genetic data (March 2025)
  5. NPR: Judge OKs sale of 23andMe to nonprofit led by founder (June 2025)
  6. NPR: Dozens of states sue to block the sale of 23andMe personal genetic data (June 2025)