WA to receive $547,000 in 23andMe data breach settlement

by · The Seattle Times

While former 23andMe customers wait to receive payments from a $46.8 million class-action settlement, a handful of states are lining up to receive their payouts, too.

State attorneys general reached a settlement Tuesday that will grant Washington more than half a million dollars. Yet unlike the class-action suit, customers won’t be able to cash in on the newest settlement.

The attorneys general’s settlement and the class-action lawsuit stem from a massive 2023 data breach that affected more than 220,000 customers in Washington. The cyberattack resulted in the theft of sensitive personal genetic information collected by 23andMe and impacted nearly 6.9 million users.

On Tuesday, Washington Attorney General Nick Brown, with 41 other attorneys general from across the U.S., announced a settlement with the bankruptcy trustee for 23andMe. The bankruptcy funds will pay out $18 million across the states, with $547,000 going to Washington.

The attorneys general formed a coalition to investigate the 2023 breach. The list excludes a handful of states, many of which are filing their own lawsuits against the now-bankrupt 23andMe.

Once received, the settlement will be used by the state attorney general’s office to fund “future consumer protection investigations and enforcement efforts,” a spokesperson from Brown’s office said in an email. 

In this instance, the enforcement of Washington consumer protection laws will not mean that individuals get a piece of the payout pie. Rather, the attorney general’s office will use it to recover costs and attorney fees spent during the investigation, according to the settlement. 

Financial relief for consumers affected by the breach is coming from a separate class-action lawsuit that was granted in the bankruptcy, the spokesperson said. Those affected by the data breach needed to file claims by Feb. 17 to receive payouts from the suit. 

When 23andMe filed for bankruptcy in March 2025, Anne Wojcicki, the company’s co-founder, left her role as CEO but remained on the board. Around three months later, a nonprofit controlled by Wojcicki won a bid and received court approval to buy the bankrupt company.

The sale transferred all assets of the bankrupt company, including the name and the stored genetic data of millions of users, back to the former CEO under the nonprofit research institute model.

A spokesperson for the 23andMe Research Institute noted in an email that the institute is “a newly established independent nonprofit organization,” and was not involved in the settlement.

“The settlement pertains to events and operations associated with the former commercial entity prior to the creation of the 23andMe Research Institute,” the spokesperson said. “The Institute was not involved in the matters and has no role in the settlement.”

The goals of the 23andMe Research Institute are now organized around its scientific impact, including “advancing nonprofit scientific and health research with a strong commitment to privacy, ethics, transparency, and responsible data stewardship,” the spokesperson said.

The future of data privacy incidents is a primary concern for Brown’s office, too, a spokesperson for the attorney general said, pointing to resources for businesses and consumers as well as responses from a 2025 survey to inform the office’s future data privacy work. 

“Settlements such as this one send a message to all businesses that our state will hold them accountable for protecting consumers’ data from hackers,” the spokesperson for the attorney general said.