Vermont AG joins multistate genetic data breach settlement in 23andMe bankruptcy

Vermont Business Magazine Attorney General Charity Clark today joined a coalition of 42 attorneys general in announcing a settlement with the bankruptcy trustee for 23andMe, resolving allegations stemming from a 2023 data breach that compromised the genetic data of 6.9 million customers worldwide. Under the settlement, 23andMe’s bankruptcy estate will pay $18 million to participating states, including $154,000 to the State of Vermont.

“Our genetic data, like our DNA, is incredibly personal and forever unchangeable—it belongs to us,” said Attorney General Clark. “Companies that collect this data must do so securely and responsibly. This settlement shows that not even bankruptcy will stop my office from pursuing companies that fail to protect Vermonters’ most sensitive information.”

In October 2023, genetic testing company 23andMe announced that it had discovered a data breach in which 6.9 million consumers were affected, including nearly 14,000 Vermonters. This data breach exposed a wide range of data about 23andMe customers, including, in some cases, genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web.

23andMe learned about the breach months after impacted personal information was publicly available. 23andMe first denied a breach and then, once it confirmed the breach, blamed consumers for how their accounts were set up or how passwords were used. 23andMe initially accepted no responsibility for the credential stuffing breach, a type of cyberattack that involves repeated attempts to log in to online accounts using usernames and passwords stolen from other online services. 23and Me’s inaction was particularly egregious considering that their partnership with MyHeritage exposed thousands of credentials shared between the websites.

In the immediate aftermath of the data breach the attorneys general formed a multistate investigation and found that 23andMe engaged in unreasonable data security practices, including, but not limited to:

  • Failing to employ safeguards against credential stuffing attacks, including comparing passwords against blocklists of known breached passwords or requiring multifactor authentication; 
  • Failing to implement appropriate rate limiting or intrusion prevention;
  • Failing to implement logging and monitoring or other tools likely to detect a data breach;
  • Failing to appropriately investigate and/or address unusual login patterns, including, for example, a massive spike in login attempts;
  • Failing to remediate known vulnerabilities; and
  • Failing to properly review and test design features.

 

In March 2025, 23andMe filed for bankruptcy protection, and states subsequently filed claims related to the data breach investigation. As part of the bankruptcy proceedings, the assets – notably 23andMe’s consumer data – were sold to TTAM Research Institute, a non-profit formed by 23andMe’s founder and former CEO. 

The terms of the sale included many information and data security requirements that likely would have been included in a settlement with 23andMe had it not filed for bankruptcy. Such terms included enhanced data security requirements, appropriate risk analysis, the addition of an Advisory Board, agreeing to be bound by comprehensive privacy laws without exception, and continuing to offer consumer deletion rights. 

These terms will make sure that TTAM Research Institute, now reregistered as 23andMe Research Institute, will be a safer custodian of genetic data moving forward.  

23andMe separately agreed to a $46.75 million class-action settlement for affected consumers. Those consumers were notified directly of their eligibility by a claims administrator earlier this year.

The 23andMe data breach and bankruptcy inspired Attorney General Clark to advocate for changes to the law to further protect Vermonters’ genetic data. The Genetic Data Information Privacy Act, Act 135, passed last month and requires genetic data testing companies like 23andMe to obtain consumers' express consent before collecting, using, or sharing their genetic data. It also gives consumers the right to access and delete that data and have their biological samples destroyed, and bars the disclosure of genetic information to insurers, employers, or the government without a warrant.

Attorney General Clark joined the attorneys general of Alaska, Alabama, Arkansas, Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Michigan, Minnesota, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, Wisconsin, and West Virginia in today’s settlement.

7.142026. Attorney General’s Office | 109 State Street | Montpelier, VT 05609-0101 | ago.vermont.gov

To support vital journalism, access our archives and get unique features like our award-winning profiles, Book of Lists & Business-to-Business Directory, subscribe HERE!

www.vermontbiz.comVermont Business Magazine