From Michigan Department of Attorney General <[email protected]>
Subject AG Nessel Announces Multistate Settlement of Bankruptcy Claims Against 23AndMe over Genetic Data Breach
Date July 14, 2026 6:27 PM
  Links have been removed from this email. Learn more in the FAQ.
  Links have been removed from this email. Learn more in the FAQ.
Michigan Attorney General Dana Nessel today joined a coalition of 42 attorneys general announcing a settlement with the bankruptcy trustee f





Share or view as webpage [ [link removed] ] | Unsubscribe [ [link removed] ]






Michigan Department of Attorney General Press Release banner [ [link removed] ]




*FOR IMMEDIATE RELEASE:*
July 14, 2026




*Media Contact:*
Danny Wimmer <[email protected]>






AG Nessel Announces Multistate Settlement of Bankruptcy Claims Against 23AndMe over Genetic Data Breach

*LANSING* – Michigan Attorney General Dana Nessel today joined a coalition of 42 attorneys general announcing a settlement with the bankruptcy trustee for 23andMe (PDF) [ [link removed] ], resolving allegations stemming from a 2023 data breach that compromised the genetic data of 6.9 million customers worldwide. The settlement includes $150 million in allowed claims for states. Due to the finite amount of funds in the bankruptcy estate and numerous other claims, recovery is limited to $18 million but will be paid out of available bankruptcy funds immediately. Of the $18 million, Michigan will receive $436,605. 23andMe also agreed to a $46.75 million class-action settlement in the bankruptcy to provide relief to affected U.S. consumers who submitted claims in a process that closed this past February.

“Protecting the personal information of Michigan residents has been one of my top priorities during my time in office, and we will not stand by when companies fail to safeguard consumer data,” said Attorney General Nessel. “I am proud to have worked with this coalition to secure this settlement. We remain committed to defending the privacy of Michiganders and ensuring that corporations that fail their customers are held accountable.”

In October 2023, direct-to-consumer genetic testing company 23andMe announced that it had discovered a data breach in which 6.9 million consumers were affected, including 162,865 Michigan residents. This data breach exposed a wide range of data about 23andMe customers, including in some cases genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web.

23andMe learned about the breach months after impacted personal information was publicly available. 23andMe first denied a breach and then, once it confirmed the breach, blamed consumers for how their accounts were set up or how passwords were used. 23andMe initially accepted no responsibility for the breach, which was particularly egregious considering 23andMe’s partnership with MyHeritage, which itself was compromised years prior to the breach, exposing thousands of credentials shared between the websites.

In the immediate aftermath of the data breach, the attorneys general formed a multistate investigation and found that 23andMe engaged in unreasonable data security practices, including, but not limited to:


* Failing to employ safeguards against attacks, including comparing passwords against blocklists of known breached passwords or requiring multifactor authentication;
* Failing to implement appropriate rate limiting or intrusion prevention;
* Failing to implement logging and monitoring or other tools likely to detect a data breach;
* Failing to appropriately investigate and/or address unusual login patterns, including, for example, a massive spike in login attempts;
* Failing to remediate known vulnerabilities; and
* Failing to properly review and test design features.

In March 2025, 23andMe filed for bankruptcy protection, and states subsequently filed claims related to the data breach investigation.  As part of the bankruptcy proceedings, the assets – notably 23andMe’s consumer data – were sold to TTAM Research Institute, a non-profit formed by 23andMe founder and former CEO Anne Wojcicki. The terms of the sale included many information and data security requirements that likely would have been included in a settlement with 23andMe had it not filed for bankruptcy. Such terms included enhanced data security requirements, appropriate risk analysis, the addition of an Advisory Board, agreeing to be bound by applicable state comprehensive privacy laws, and continuing to offer consumer deletion rights. These terms will make sure that TTAM Research Institute, now reregistered as 23andMe Research Institute, will be a safer custodian of genetic data moving forward.    

Senate Bill 359, [ [link removed] ] sponsored by state Senator Rosemary Bayer, would provide Michiganders with more safeguards related to the collection and use of their data. The Michigan Personal Data Privacy Act would also allow the Department of Attorney General authority to commence investigations and civil actions related to violations. Currently awaiting a vote in the Michigan Senate, the legislation would bring Michigan in line with at least 23 other states that have already enacted similar comprehensive data privacy protection laws.

“Michigan consumers deserve the protections necessary to keep their personal information safe,” said Attorney General Nessel. “I urge the Legislature to pass this much-needed legislation to provide meaningful, long-overdue privacy rights to Michiganders while giving my office the ability to pursue companies that compromise our residents’ data.”

For more information on protecting consumer privacy and opting out of data sharing, visit the Department of Attorney General’s website [ [link removed] ].

Attorney General Nessel joined the attorneys general of Alaska, Alabama, Arkansas, Arizona, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Georgia, Idaho, Iowa, Illinois, Indiana, Kansas, Kentucky, Louisiana, Massachusetts, Maryland, Maine, Minnesota, North Carolina, North Dakota, New Hampshire, New Jersey, New Mexico, New York, Ohio, Oklahoma, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Vermont, Washington, Wisconsin, and West Virginia in today’s settlement.  

###






AG logo [ [link removed] ]





*Media Inquiries* <[email protected]>




*Latest Releases* [ [link removed] ]




*File a Complaint* [ [link removed] ]








Connect with us:

facebook icon [ [link removed] ] x icon [ [link removed] ] youtube icon [ [link removed] ] instagram icon [ [link removed] ] linkedin icon [ [link removed] ] govdelivery icon <[email protected]> threads icon [ [link removed] ]

If you wish to no longer receive emails from us, 
please update your preferences here:
Manage Preferences [ [link removed] ]  |  Delete Profile [ [link removed] ]

Need further assistance?
Contact Us  |  Help [ [link removed] ]

________________________________________________________________________

Get personalized voter information on early voting and other topics at Michigan.gov/Vote [ [link removed] ].

________________________________________________________________________

This email was sent to [email protected] using Granicus Communications Cloud on behalf of: Michigan Attorney General · G. Mennen Williams Building, 7th Floor · 525 W. Ottawa St., P.O. Box 30212 · Lansing, MI 48909 · 517-373-1100
body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; margin-right:0px;} table.govd_hr {min-width: 100%;} p, li, h1, h2, h3 { overflow-wrap: normal; word-wrap: normal; word-break: keep-all; -moz-hyphens: none; -ms-hyphens: none; -webkit-hyphens: none; hyphens: none; mso-hyphenate: none; }
Screenshot of the email generated on import

Message Analysis