New York will receive more than $705,000 under an $18 million multistate settlement with 23andMe over a data breach that exposed genetic and personal information from millions of customers.
The October 2023 breach affected nearly 7 million consumers, including 305,245 in New York, according to state Attorney General Letitia James.
James and attorneys general from 41 other states and the District of Columbia alleged that the genetic testing company failed to use adequate safeguards against attacks involving stolen credentials. Some customer information, including genetic ancestry data, was later offered for sale on the dark web, the attorney general's office said.
The investigation found that 23andMe did not require multifactor authentication, adequately limit repeated login attempts, investigate unusual login patterns or promptly fix known vulnerabilities, according to the release.
The company filed for bankruptcy protection in March 2025. Its customer data was later sold to TTAM Research, a nonprofit formed by 23andMe founder and former chief executive Anne Wojcicki and since registered as the 23andMe Research Institute.
The settlement requires new information-security measures, including risk analysis and an advisory board focused on data security. Consumers must also continue to have the ability to delete their information.
James joined a bipartisan coalition in bringing the settlement, which remains subject to the bankruptcy process described in the release.


