DNA giant pays $30M for failing to protect Jewish users

The breach began around April 2023 and lasted about five months, affecting nearly half of the 14.1 million customers in 23andMe’s database at the time.

By The Algemeiner and Reuters

23andMe will pay $30 million and provide three years of security monitoring to settle a lawsuit accusing the genetics testing company of failing to protect the privacy of 6.9 million customers whose personal information was exposed in a data breach last year.

The accord also resolves accusations that 23andMe did not tell customers with Chinese and Ashkenazi Jewish ancestry that the hacker appeared to have specifically targeted them, and posted their information for sale on the dark web.

A preliminary settlement of the proposed class action was filed late Thursday night in federal court in San Francisco, and requires a judge’s approval.

It includes cash payments for customers whose data was compromised, and lets customers enroll for three years in a program known as Privacy & Medical Shield + Genetic Monitoring.

In a Friday court filing, 23andMe called the settlement fair, adequate and reasonable.

Citing its “extremely uncertain financial condition,” 23andMe also asked the judge to halt arbitrations by tens of thousands of class members, until the settlement is approved or they decide not to participate.

Read  Jewish civil rights group seeks to overturn dismissal of MIT antisemitism lawsuit

In a statement, 23andMe said it believes the settlement is in its customers’ best interest. It also expects about $25 million of the cost to be covered by cyber insurance coverage.

The breach began around April 2023 and lasted about five months, affecting nearly half of the 14.1 million customers in 23andMe’s database at the time. It was disclosed by 23andMe in an October 2023 blog post.

According to the company, the hacker accessed 5.5 million DNA Relatives profiles, which let customers share information with each other, and accessed information for another 1.4 million customers who used a feature called Family Tree.

Lawyers for the plaintiffs said the settlement addressed their clients’ main claims, and reflected significant risks of further litigation given 23andMe’s “dire” finances.

The South San Francisco-based company lost $69.4 million on revenue of $40.4 million in the quarter ending June 30.

Co-founder and Chief Executive Anne Wojcicki has been trying to take 23andMe private, three years after it went public at $10 per share. Its shares have traded below $1 since mid-December.

The plaintiffs’ lawyers may seek legal fees of up to 25% of the settlement amount.

The case is In re 23andMe Inc Customer Data Security Breach Litigation, US District Court, Northern District of California, No. 24-md-03098.

Read  CAIR sues US State Department over ‘failing to evacuate American citizens’ from Gaza

>