Office of the Colorado Attorney General

07/14/2026 | Press release | Distributed by Public on 07/14/2026 10:45

Attorney General Phil Weiser announces multistate settlement of bankruptcy claims against 23andme over genetic data breach

Attorney General Phil Weiser announces multistate settlement of bankruptcy claims against 23andme over genetic data breach

July 14, 2026 (DENVER) - Attorney General Phil Weiser today joined a coalition of 42 attorneys general announcing a settlement with the bankruptcy trustee for 23andMe, resolving allegations stemming from a 2023 data breach that compromised the genetic data of 6.9 million customers worldwide.

Under the settlement (opens new window), the states will be paid $18 million out of available bankruptcy funds immediately. Of the $18 million, Colorado will receive $394,324. 23andMe also agreed to a $46.75 million class-action settlement in the bankruptcy to provide relief to affected U.S. consumers who submitted claims by February 17, 2026.

"Under Colorado's data privacy and security laws, companies must safeguard consumer personal data and cannot sell or disclose sensitive personal data-including genetic data-without the affirmative consent from the consumer. Because of today's settlement with 23andMe, Coloradans' data will be in safer hands and consumers will keep their rights over their data, including deleting any personal data held by the organization," said Attorney General Weiser.

In October 2023, direct-to-consumer genetic testing company 23andMe announced that it had discovered a data breach in which 6.9 million consumers were affected, including 140,517 in Colorado. This data breach exposed a wide range of data about 23andMe customers, including in some cases genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web.

23andMe learned about the breach months after impacted personal information was publicly available. The company first denied a breach and then, once it confirmed the breach, blamed consumers for how their accounts were set up or how passwords were used. 23andMe initially accepted no responsibility for the credential stuffing breach, which was particularly egregious considering 23andMe's partnership with MyHeritage, which itself was compromised years prior to the breach, exposing thousands of credentials shared between the websites.

In the immediate aftermath of the data breach the attorneys general formed a multistate investigation and found that 23andMe engaged in unreasonable data security practices. In March 2025, 23andMe filed for bankruptcy protection, and states subsequently filed claims related to the data breach investigation.

As part of the bankruptcy proceedings, the assets - notably 23andMe's consumer data - were sold to TTAM Research Institute, a non-profit formed by 23andMe founder and former CEO Anne Wojcicki. The terms of the sale included many information and data security requirements that likely would have been included in a settlement with 23andMe had it not filed for bankruptcy. Such terms included enhanced data security requirements, appropriate risk analysis, the addition of an advisory board, agreeing to be bound by comprehensive privacy laws without exception, and continuing to offer consumer deletion rights. These terms will make sure that TTAM Research Institute, now reregistered as 23andMe Research Institute, will be a safer custodian of genetic data moving forward.

The Colorado Privacy Act includes enhanced protections for biometric data:

  • Companies must have a public policy regarding the safety and security of biometric data, including the retention schedule for any biometric data they hold.
  • Companies cannot sell or disclose biometric data without affirmative consent from consumers.
  • Consumers have the right to additional details about their biometric data held by companies, including the identity of any third parties to whom the data has been disclosed.
  • Consumers in Colorado must affirmatively opt-in to any use or processing of their sensitive personal data - including genetic data.

The state privacy law also applies to non-profit entities such as 23andMe Research Institute.

Consumers can set privacy controls and delete any data held by 23andMe Research Institute at https://www.23andme.org/legal/privacy/#your-privacy-controls (opens new window).

Attorney General Weiser joined the attorneys general of Alaska, Alabama, Arkansas, Arizona, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Michigan, Minnesota, North Carolina, North Dakota, New Hampshire, New Jersey, New Mexico, New York, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and West Virginia in today's settlement.

###

Media Contact:
Lawrence Pacheco
Chief Communications Officer
(720) 508-6553 office
[email protected]

Office of the Colorado Attorney General published this content on July 14, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on July 14, 2026 at 16:45 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]