In October 2023, hackers were able to gain access to 23andMe customer accounts through a credential stuffing attack where the username and password used on 23andMe.com were the same as those that were used on other websites that were previously compromised or otherwise available. The hacker was able to access certain information on 23andMe users, including health information. A subset of that information was sold on the dark web, including a dataset of individuals of Chinese and Ashkenazi Jewish heritage who appear to have been specifically targeted.
Shortly after 23andMe disclosed the incident, nearly 40 lawsuits were filed around the country alleging 23andMe had failed to properly protect customer information and violated various state genetic information privacy statutes, state consumer statutes, and other claims for invasion of privacy. Many, but not all, of those cases were consolidated into a MultiDistrict Litigation (“MDL”) proceeding in the Northern District of California. The MDL involves class actions brought on behalf of more than 6 million individuals.
23andMe has now agreed to settle the MDL for $30 million. Although 23andMe denies all wrongdoing and liability, it chose to settle to avoid the uncertainty of further litigation. Under the terms of the settlement, individuals whose data was compromised are entitled to a portion of the settlement fund, after litigation costs and attorneys fees have been deducted. The plaintiffs’ lawyers will received up to one-third of the settlement amount. Impacted class members will also be entitled to three years of complimentary monitoring services.
Let this case serve as a reminder that cyber threats are real and ever changing. Perhaps more importantly though, the 23andMe case highlights the importance of cyber insurance. 23andMe anticipate s that around $25 million of the settlement will be covered by its cyber insurance policy. Without such ample coverage, early settlements and resolutions may not have been a viability.