FOR IMMEDIATE RELEASE
Media Contacts
[email protected]
410-576-7009
BALTIMORE, MD (July 14, 2026) – Attorney General Anthony G. Brown today joined a coalition of 42 attorneys general announcing a settlement resolving allegations stemming from 23andMe’s 2023 data breach that compromised the genetic data of 6.9 million customers worldwide.
23andMe filed for bankruptcy in March 2025. The settlement was reached with the Office of the United States Bankruptcy Trustee. Because the bankruptcy estate has limited funds and there are many competing claims, the recovery is limited to $18 million that will be paid out of the available bankruptcy funds immediately.
“Marylanders trusted 23andMe to protect their personal data, including highly sensitive genetic data and ancestry information. 23andMe failed to safeguard it and then blamed its customers,” said Attorney General Brown. “Through this settlement, we were able to ensure that Marylanders’ genetic information is properly protected going forward. My Office will continue to hold accountable any company that fails to protect Marylanders and their sensitive information.”
In October 2023, the direct-to-consumer genetic testing company 23andMe announced that it had discovered a data breach that affected 6.9 million consumers, including 94,298 Maryland residents. This data breach exposed a wide range of data about 23andMe customers, including in some cases genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web.
23andMe learned about the breach months after impacted personal information became publicly available. 23andMe initially declined responsibility for the breach, and then blamed consumers arguing they had mishandled their passwords. The breach was shown to have been related to passwords compromised years earlier in a breach that had occurred on MyHeritage.com, 23and Me’s partner, that exposed thousands of credentials shared between the websites.
In the immediate aftermath of the data breach the attorneys general formed a multistate investigation and found that 23andMe engaged in unreasonable data security practices, including, but not limited to failing to:
• Employ safeguards against credential stuffing attacks, including comparing passwords against blocklists of known breached passwords or requiring multifactor authentication;
• Implement appropriate rate limiting or intrusion prevention;
• Implement logging and monitoring or other tools likely to detect a data breach;
• Appropriately investigate and/or address unusual login patterns, including, for example, a massive spike in login attempts;
• Remediate known vulnerabilities; and
• Properly review and test design features.
In March 2025, 23andMe filed for bankruptcy protection and states subsequently filed claims related to the data breach investigation. As part of the bankruptcy proceedings, the assets – notably 23andMe’s consumer data – were sold to TTAM Research Institute, a non-profit formed by 23andMe founder and former CEO Anne Wojcicki. The attorneys general were able to ensure that the terms of the sale included many information and data security requirements that address the security concerns outlined above. Such terms included enhanced data security requirements, appropriate risk analysis, the addition of an Advisory Board, an agreement to be bound by comprehensive privacy laws without exception, and an agreement to offer consumers deletion rights. These terms will make sure that TTAM Research Institute, now reregistered as 23andMe Research Institute, will be a safer custodian of genetic data moving forward.
In addition to general consumer protection, individuals are also protected under Maryland’s genetic privacy law, which regulates direct-to-consumer genetic testing companies. It requires these companies to provide transparent privacy policies, obtain express consent for collecting or sharing genetic data, and ensure consumer rights to access and delete data.
In the settlement, Attorney General Brown joined the attorneys general of Alaska, Alabama, Arkansas, Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Massachusetts, Maine, Michigan, Minnesota, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and West Virginia.
###