23andMe Clients Navigate Uncertain Future Two Years After Breach

On the morning of Sept. 25, Elvira Olguín called into a St. Louis court hearing in the 23andMe bankruptcy from Málaga, Spain, sitting beside her son, who guided her through the proceedings.

The 96-year-old bought a 23andMe kit in April 2019 for research in a legal biological recognition process. After receiving a notice in October 2023 that a data breach had exposed the personal information of nearly 7 million users, she became frightened, causing her blood pressure to spike. Days later, she suffered a vascular episode that led to vision loss in one eye, according to her health records.

“Such news can be especially harmful to those in fragile health and may even cause permanent damage, as happened to me,” Olguín said. “I felt very exposed.”

23andMe, now Chrome Holding Co., filed for bankruptcy in March, nearly two years after the breach. It recently received preliminary approval to settle class actions in the US and Canada, covering the bulk of 250,000 claims tied mainly to the incident, valued at over $51 trillion.

The company is disputing potential fraudulent claims and is pursuing a “streamlined” process requiring customers to verify their identities.

Olguín isn’t part of either class. Her $1,500 claim may be her only avenue for recovery, though individual claimants typically fall lower in repayment priority. She appeared in court fearing she would “lose her rights.”

23andMe brought unique privacy issues to bankruptcy. Unlike mass tort bankruptcies—such as Georgia-Pacific unit Bestwall, which faces asbestos claims, or Purdue Pharma opioid lawsuits—the harm mainly involves identity theft or nation-state misuse.

Unlike in asbestos cases, there’s no “future claims representative” for breach victims who may not realize an immediate harm. They have a limited window to link damages or expenses to the breach.

Plus, it’s difficult to prove that a future identity theft is definitely caused by a particular data breach, said Paul Karlsgodt, leader of BakerHostetler’s privacy and digital risk class action team.

“You don’t know, when someone’s the victim of identity theft, how the criminal actor came to have the information they used to do it,” he said.

Many of the nearly 100 attendees at the September hearing were customers who logged in from across the US, Canada, and Spain. Confused by the hearing notices, some referred to themselves as “defendants.”

Many insisted on stating their names and being recognized by the court. The judge repeatedly clarified that no one was being sued and that he couldn’t provide legal advice.

23andMe lawyers at Paul, Weiss, Rifkind, Wharton & Garrison declined to comment.

Settlements

The settlements mark a key step in the company’s effort to end the bankruptcy after selling its assets in June for $300 million despite pushback from states over alleged privacy law violations.

The company will seek approval of its bankruptcy plan in November, with final hearings on the US and Canadian settlements on Jan. 20 and Feb. 17, respectively.

23andMe proposed a $30 million to $50 million fund for US class members, and a $3.25 million (CA$4.49 million) fund for Canadians. The US deal may require mediation or litigation to determine exactly how much will be available.

US costumers whose health data was exposed would get up to $165, and residents from certain states would receive $100 statutory payments. “Extraordinary losses,” including identity fraud and mental health treatment, that would result in additional payments must have been incurred between May 1, 2023, and Oct. 2, 2025. Canadians have a shorter, six-month window.

Sage Nematollahi, a KND attorney representing Canadians, said he was “very pleased” with the settlement and had “no hesitation to recommend it to the Canadian public.”

“If we are going to give people more, we got to show that this damage occurred as a result of the incident,” Nematollahi said. “The farther you get from the events, the connection becomes more remote, and it’s more difficult to establish that the cost was incurred as a direct result.”

Karlsgodt said in data breach settlements, there are typically around “a few hundred” people who opt out to pursue their own claims. But the nature of the data could mean more feel “more offended and affected than in a normal data breach case.”

The biggest difference between 23andMe and other breaches is that sequenced DNA is “irreplaceable and immutable,” said Jennifer King, a Stanford University privacy fellow.

“My hunch is that’s at the extreme of data breach cases; however, connecting its use to future harm will be tough,” she said. While few adversaries can actually exploit this data, “nation-state adversaries that want to target specific individuals can try to obtain either the DNA or find close relatives in the dataset.”

Navigating the Unknown

Salman Jaberi, a member of the US class who attended the hearing, said he believes his 23andMe data was accessed before the breach notice.

Jaberi said he’s been assaulted and harassed online, targeting his background and identity as an LGBTQ community member. After purchasing a kit in February 2022, he noticed a spike in identity theft activity on his credit reports within a month.

He also began receiving unusual, targeted ads and scam emails referencing family names.

“While I’ve been recognized as an affected individual, the process so far has not provided meaningful relief for the extent of damages I continue to face,” Jaberi said. His $2,263 claim includes costs for privacy protection services.

He called the settlement’s monitoring services “useless.”

The company has said it suspects fraudulent claims were filed, citing identical two-word phrases in descriptions. It estimates that more than 190,000 claims were filed with emails that don’t match customer records.

Karlsgodt said the use of bots is becoming more prominent in settlements, which “waters down the money available to the real claimants.”

After learning of the breach, Olguín “lost hope” in her research. She feels the settlements don’t help people like her.

“It may result in an insignificant recovery for individual creditors like myself,” she said.