The proposed $30 million to $50 million 23andMe class action settlement stems from an October 2023 cyberattack that reportedly exposed sensitive customer data for about 6.4 million U.S. users, including genetic information, ancestry reports, and family tree details—data that can be uniquely identifying because it can’t be “changed” like a password. Plaintiffs allege some of this information later appeared for sale on the dark web, raising concerns about identity theft, targeted scams, and the long-term privacy risks tied specifically to DNA-related data. The litigation gained added complexity after 23andMe entered Chapter 11 bankruptcy in March 2025 in the Eastern District of Missouri and later sold assets and renamed the business (though settlement notices still refer to “23andMe”), meaning the bankruptcy court process is intertwined with how funds are preserved and distributed to affected customers. The lawsuits were filed on the theory that 23andMe failed to implement reasonable security measures and respond appropriately, causing consumers harm; the company denies wrongdoing, but agreed to a settlement to resolve the consolidated nationwide claims. If approved, the deal provides five years of privacy/identity and “genetic monitoring” services for class members, plus cash options that vary by circumstance: reimbursement of documented “extraordinary” out-of-pocket losses up to $10,000 (subject to an $8.3 million cap), up to $165 for certain claims involving accessed health-related genetic data, and estimated statutory payments around $100 for residents of Alaska, California, Illinois, and Oregon—states with privacy statutes often invoked in data-breach cases. The significance is that it treats genetic data exposure as a distinct category of harm with longer-lived risk, while also illustrating how consumer recoveries, attorney fees (up to 25%), and benefit levels can be shaped by settlement-fund caps and pro rata reductions. More broadly, the case reflects an industry-wide trend: consumer genomics companies sit at the crossroads of biotech and tech, holding exceptionally sensitive datasets that are attractive to attackers and difficult to remediate once leaked. Similar data-breach class actions frequently hinge on whether a company’s security practices were “reasonable,” whether plaintiffs can show concrete injury, and which state privacy laws apply; here, the statutory subclass highlights how state regimes can materially change payout structures. In terms of regulation, direct-to-consumer genetic testing is influenced by a patchwork—FTC enforcement against unfair/deceptive privacy practices, state consumer privacy and biometric/privacy laws, and (depending on how data is handled) health privacy frameworks—so this settlement may further pressure the sector toward stronger authentication controls, tighter data-sharing defaults, and clearer disclosures about how genetic and health-related information is protected and used.