Voidly · Genetic privacy

The Genetic Privacy Ledger — the 23andMe Breach and the Statute Wave

In 2023, recycled passwords opened roughly 14,000 accounts at 23andMe, and through them the profiles of millions. Within three years the company had been fined on two continents, sued by more than forty attorneys general, and sold through a bankruptcy court — the first time the fate of a genetic database was decided as an asset of a failed company. This ledger holds that whole chain of custody, event by documented event, alongside the 12-state statute wave that is its lasting legacy.

Statutes, courts, and regulators only; zero personal data. No breach victim is named or identifiable here; no leaked material was accessed, cited, or linked in building this dataset; every aggregate figure comes from an official document. Each event row carries its register — what the company said, what regulators found, what courts held — and figures that are not yet adjudicated say so. The documented targeting of customers by ancestry is reported exactly at the strength of the court and congressional record, and no further. To dispute or correct an entry, contact us. Built under our data standards.

State DTC statutes
12
Documented events
42
UK ICO penalty
£2.31M
Bankruptcy sale
$305M

What the regulators found

The UK Information Commissioner's 153-page penalty notice is the sharpest technical account on the record. Its findings, at paragraph level:

  • The attack ran roughly five months — late April to late September 2023 — before a threat actor's online post surfaced it.
  • 0.2% of customers worldwide had multi-factor authentication enabled. No account using single sign-on was breached.
  • The company's compromised-password check drew on a list of about 20,000 passwords — while its subscription to a 14-billion-credential breach database went unused.
  • The final penalty: £2,310,000, reduced from a proposed £4.59M in light of the company's financial position — affecting 6,984,430 customers worldwide by the ICO's count. Canada's privacy commissioner published parallel joint findings.

The custody chain (42 documented events, 2023–2026)

Every event carries its register and source. Where a figure is not yet adjudicated — a stipulation awaiting a judge's signature, a settlement approval so far reported only by press — the row says so.

  1. 2023-04-29The credential-stuffing attack beginsRegulator finding

    Per the UK ICO's penalty notice, the attack ran from about April 29 to September 20, 2023 — roughly five months — using passwords reused from other breached sites. source

  2. 2023-10-01A threat actor posts a claim onlineCompany statement

    The company's SEC amendment records that on October 1, 2023 a threat actor posted a claim to have users' profile information, and that an investigation began immediately with third-party incident-response experts. source

  3. 2023-10-0623andMe discloses the incidentCompany statement

    The company publishes its first blog statement, attributing the access to credential stuffing and stating its own systems were not breached. source

  4. 2023-10-10Form 8-K furnished; all users forced to reset passwordsCompany statement

    The first SEC disclosure is furnished, and the company requires a password reset for every account. source

  5. 2023-10-20Senate HELP ranking member sends an 11-question letterCongressional record

    The letter cites reporting that data on 1.3 million customers was posted, that one posting was titled as an Ashkenazi dataset, and that records were offered at $1 to $10 each. source

  6. 2023-10-31Connecticut's attorney general demands answersState attorney general

    The state letter cites offerings of at least one million profiles of Ashkenazi Jewish heritage and hundreds of thousands of customers of Chinese ancestry. source

  7. 2023-11-06Two-step verification becomes mandatoryCompany statement

    The company requires email two-step verification for all new and existing customers — MFA had been optional, with regulator findings later fixing pre-breach adoption at 0.2% of customers. source

  8. 2023-12-01The full scope is disclosed by amendmentCompany statement

    The 8-K/A states the investigation is complete: about 14,000 accounts (0.1%) were credential-stuffed, through which approximately 5.5 million DNA Relatives profiles and 1.5 million Family Tree profiles were accessed. source

  9. 2023-12-05Final company figures on the blogCompany statement

    The blog update gives roughly 14,000 accounts of 14 million customers, and puts the Family Tree figure at approximately 1.4 million — the widely cited 6.9 million total is the sum of the categories, and appears in neither the filings nor the blog. source

  10. 2024-01-11A House member asks the FBI to investigate the targeted listsCongressional record

    The letter describes about one million users of Ashkenazi Jewish heritage on a curated list — 17.2 percent of the American Jewish population. source

  11. 2024-01-26The Melvin complaint documents the listsCourt record

    The class complaint alleges one million profiles of Ashkenazi Jews offered as of the October 1 leak (¶36) and 100,000 Chinese customers' data posted with 350,000 records claimed (¶38). source

  12. 2024-04-16Roughly 40 federal suits centralized as MDL 3098Court record

    The Judicial Panel on Multidistrict Litigation centralizes the federal cases in the Northern District of California. source

  13. 2024-06-26Consolidated class action complaint filedCourt record

    The consolidated complaint follows the April consolidation of the federal cases. source

  14. 2024-07-29A $30 million settlement term sheet is executedCompany statement

    The company's 10-Q discloses a confidential term sheet agreeing all material terms including payment of $30.0 million; the company separately disclosed $22.1 million in probable insurance recoveries. source

  15. 2024-09-12Preliminary approval sought for a $30M non-reversionary fundCourt record

    The motion describes extraordinary claims up to $10,000 for documented losses, statutory cash claims, and health-information claims; the class is about 6.4 million US residents. source

  16. 2024-12-04Conditional preliminary approval — and the court states the targetingCourt record

    The order conditionally grants preliminary approval and records that cybercriminals specifically targeted customers of Ashkenazi Jewish and Chinese descent, offering their data for sale; nearly 16,000 individual arbitrations had been filed by mid-September 2024. source

  17. 2025-03-05The Genomic Data Protection Act is introducedCongressional record

    S. 863 would require direct-to-consumer genomic testing companies to provide simple deletion and sample-destruction mechanisms. source

  18. 2025-03-21California's attorney general issues an urgent consumer alertState attorney general

    Ahead of the widely reported financial distress, the alert reminds customers of their deletion and sample-destruction rights under the state's Genetic Information Privacy Act. source

  19. 2025-03-2323andMe files Chapter 11Court record

    The petition is filed in the Eastern District of Missouri (No. 25-40976) to run a sale process for substantially all assets — including the genetic database. source

  20. 2025-03-31The FTC chairman warns the trusteeRegulator finding

    The letter enumerates the categories of data 23andMe holds, quotes the privacy statement's bankruptcy clause, and states that any purchaser should be bound by the privacy promises made to consumers. source

  21. 2025-04-15House Oversight opens an inquiryCongressional record

    The committee requests documents on the bankruptcy and the data's fate from the company's co-founder as a board member. source

  22. 2025-04-17House Energy & Commerce sends ten questionsCongressional record

    The letter to the interim chief executive covers post-sale privacy protections and enforcement of buyer commitments. source

  23. 2025-04-28Senate Intelligence leaders press DOJ and the FTCCongressional record

    The bipartisan letter urges both agencies to exercise the full scope of their authorities in the bankruptcy. source

  24. 2025-04-29The parties stipulate to a Consumer Privacy OmbudsmanCourt record

    A joint stipulation and agreed order (Dkt. 346) provides for the appointment under 11 U.S.C. § 332 to examine the sale of personally identifiable information. source

  25. 2025-05-06The Consumer Privacy Ombudsman is appointedCourt record

    The US Trustee's notice (Dkt. 388) formalizes the appointment. source

  26. 2025-05-19Regeneron wins the first auction at $256 millionCompany statement

    After a seven-bidder auction opening at $52 million, the pharmaceutical company's bid is selected; the auction is later reopened. source

  27. 2025-05-22The Don't Sell My DNA Act is introducedCongressional record

    S. 1916 would amend the Bankruptcy Code's definition of personally identifiable information — which does not currently enumerate genetic data — to include it. source

  28. 2025-06-05The UK ICO fines 23andMe £2,310,000Regulator finding

    The penalty notice — reduced from a proposed £4.59 million for financial position — finds the attack ran about five months, that 6,984,430 customers worldwide were affected (155,592 in the UK), that only 0.2% of customers had MFA enabled, and that the compromised-password check used about 20,000 passwords while a subscribed 14-billion-credential database went unused. source

  29. 2025-06-0927 states and DC sue over the saleState attorney general

    The adversary complaint (No. 25-04035) seeks a declaration that customers hold ownership and control rights in their biological samples and genetic data, and that the data cannot be sold without express, informed consent. source

  30. 2025-06-10House Oversight hearing on the saleCongressional record

    The interim chief executive testifies that about 1.9 million customers — roughly 15% — had requested deletion since the bankruptcy, and commits that the data will not be sold to foreign adversaries; a Senate transcript the next day records a 1.3 million figure uncorrected. source

  31. 2025-06-11The ombudsman's 211-page report is filedCourt record

    The court-appointed Consumer Privacy Ombudsman's report (Doc 718) examines whether and how genetic data can be sold in bankruptcy — the landmark primary document of the case. source

  32. 2025-06-13TTAM wins the reopened auction at $305 millionCourt record

    The nonprofit founded by the company's co-founder and former chief executive outbids Regeneron in the final round. source

  33. 2025-06-17Canada's privacy commissioner publishes joint findingsRegulator finding

    PIPEDA Findings #2025-001 — the Canadian half of the joint investigation with the UK ICO — finds contraventions affecting 319,635 Canadians. source

  34. 2025-06-27The court approves the $305M saleCourt record

    The memorandum opinion records about 13 million customers, roughly 1.9 million post-petition account deletions, more than 30 states initially objecting with five still opposed, and conditions binding the buyer to the privacy promises. source

  35. 2025-07-14The sale closesCompany statement

    TTAM takes ownership of the assets for $305 million total; objecting states' releases record negotiated conditions including verified permanent deletion rights and restrictions on resale. source

  36. 2025-07-17The House companion to Don't Sell My DNA is introducedCongressional record

    H.R. 4492 carries identical operative text amending the Bankruptcy Code's PII definition. source

  37. 2025-10-02The re-cut class settlement gets bankruptcy preliminary approvalCourt record

    The revised settlement — a non-reversionary fund of at least $30 million through the Plan Administration Trust — is preliminarily approved, with a final hearing set for January 20, 2026. source

  38. 2025-12-01The Chapter 11 plan is confirmedCourt record

    The confirmation order enters for the wind-down debtor, by then renamed Chrome Holding Co. source

  39. 2025-12-04The public company deregistersCompany statement

    Chrome Holding Co. files Form 15-12G, formally ending 23andMe's life as a public company. source

  40. 2026-05-28California sues separatelyState attorney general

    The state's complaint — filed outside the multistate coalition — documents the targeting of about 1.1 million individuals of Ashkenazi Jewish heritage and hundreds of thousands of individuals of Chinese ancestry (¶42). source

  41. 2026-07-07Final approval of a $46.75M class fund is reportedCourt record

    Press reports final approval of the enlarged settlement fund; the figure has not yet been reproduced from a court record and ships here as pending verification. source · Press-reported; pending court-record verification

  42. 2026-07-1442 attorney-general offices stipulate an $18M resolutionState attorney general

    The joint stipulation allows the signatory governmental claims at $150 million with an $18 million cash recovery — against proofs of claim recited at approximately $100 billion face amount — plus a five-year ban on the wind-down estate's consumer sales and PII collection. California is not a signatory. The published copy's approval line is unsigned; the stipulation takes effect upon court approval. source · Awaiting court approval

The statute wave (12 DTC-model states, 2021–2026)

Twelve states enacted near-template direct-to-consumer genetic-privacy statutes: express consent with separate consents per purpose, deletion of account and data, destruction of the biological sample, and — in most — attorney-general enforcement at $2,500 per violation. Two carry a private right of action: Illinois (1998) and Wyoming.

StateLawEffectiveEnforcementPrivate action
ArizonaHB 2069 — Genetic Information Privacy Act · A.R.S. §§ 44-8001 to 44-80042021 (approved 2021-04-20)Attorney general; civil penalty up to $2,500 per violationNo
UtahSB 227 — Genetic Information Privacy Act · Utah Code § 13-60-101 et seq.2021-05-05Attorney general; civil penalty up to $2,500 per violationNo
CaliforniaSB 41 — Genetic Information Privacy Act · Cal. Civ. Code § 56.18 et seq.2022-01-01 (approved 2021-10-06)Attorney general and local prosecutors; civil penaltiesNo
WyomingHB 86 (2022 Enrolled Act No. 8) · Wyo. Stat. §§ 35-32-101 to 35-32-1052022-07-01 (signed 2022-03-08)Criminal penalty; private civil action (60-day notice-and-cure); AG enforcement up to $2,500 per violationYes
KentuckyHB 502 — Genetic Information Privacy Act · KRS 311.705 (2022 Ky. Acts ch. 169)2022 (session act)Attorney general enforcementNo
MarylandHB 866 — Genetic Information Privacy Act · Md. Code, Com. Law §§ 14-4401 to 14-4408 (2022 Md. Laws Ch. 501)2022-10-01Enforcement under Maryland consumer-protection lawNo
MontanaSB 351 — Genetic Information Privacy Act · Mont. Code Ann. § 30-23-101 et seq.2023-10-01 (signed 2023-06-07)Attorney general; civil penalty up to $2,500 per violationNo
TennesseeHB 1310 / SB 1295 — Genetic Information Privacy Act (Pub. Ch. 324) · Tenn. Code Ann. §§ 47-18-4901 to 47-18-49062023-07-01 (signed 2023-04-28)Attorney general enforcementNo
TexasHB 2545 · Tex. Bus. & Com. Code Ch. 503A2023-09-01Attorney general; civil penalty up to $2,500 per violationNo
VirginiaSB 1087 · Va. Code §§ 59.1-593 to 59.1-6022023-07-01Attorney general enforcementNo
NebraskaLB 308 — Genetic Information Privacy Act · Neb. Rev. Stat. §§ 87-901 to 87-9042024-07-17 (approved 2024-02-13)Attorney general enforcementNo
South DakotaSB 49 · 2026 session law (SB 49)2026-07-01 (signed 2026-03-23)Attorney general enforcementNo

Beyond the template

  • Illinois Genetic Information Privacy Act (1998): The oldest statute in the set: a private right of action with liquidated damages of $2,500 per negligent violation or $15,000 per intentional or reckless violation, plus attorney's fees — the strongest enforcement in the set. A growing GIPA class-action docket followed the 2023 breach era.
  • Florida CS/HB 833 — Protecting DNA Privacy Act (2021): A distinct criminal/property model, not the DTC consent template — counted separately from the twelve DTC-model states.
  • Texas HB 130 — Texas Genomic Act of 2025 (2025): Prohibits storing genome-sequencing data within foreign-adversary borders and restricts sale or transfer of genomic data in bankruptcy to foreign adversaries — a direct post-23andMe-bankruptcy provision.
  • Florida SB 768 (2025): Bars the Department of Health's clinical and environmental laboratories from using genetic-sequencing software produced in or by a foreign country of concern, a state-owned enterprise of one, or a company domiciled in one.
  • Utah HB 182 (2026): Restricts foreign adversaries' access to genetic-sequencing data; exempts clinical-trial data and DOJ Data Security Program-permitted transfers.
  • Wisconsin AB 673 (2026): Passed the legislature and was vetoed, with the veto message citing potential harm to medical and research collaborations — the wave's notable counterexample.

The federal gap

Why did a bankruptcy court decide the fate of fifteen million genomes? Because no federal statute stood in the way. What each law holds — and where it stops:

LawWhat it holdsThe gap
HIPAAGoverns protected health information held by covered entities — providers, plans, clearinghouses — and their business associates.Direct-to-consumer genetic testing companies are not covered entities; HIPAA never applied to 23andMe's consumer database.
GINA (2008)Bars genetic discrimination in employment (15+ employees) and health insurance.Does not reach life, disability, or long-term-care insurance — the coverage lines a genetic profile most directly prices.
11 U.S.C. § 101(41A)Defines personally identifiable information for bankruptcy purposes.The definition does not enumerate genetic information — the gap the Don't Sell My DNA Act targets.
11 U.S.C. § 332Provides for a Consumer Privacy Ombudsman, appointed at least 7 days before a PII-sale hearing, to advise the court.Advisory only — the ombudsman informs the court; the provision does not itself bar any sale.
11 U.S.C. § 363(b)(1)Permits sale of PII either consistent with the debtor's privacy policy, or after ombudsman appointment and court findings.The privacy policy itself — including its clause contemplating transfer in bankruptcy — sets the baseline the sale is measured against.
FTC Act § 5 (as applied to genetic data)The first FTC genetic-privacy enforcement — In re 1Health.io/Vitagene (complaint June 2023, order finalized September 2023) — required $75,000 in refunds and destruction of retained DNA samples after unencrypted genetic data sat in public storage.Case-by-case enforcement against deception and unfairness, not a standing federal genetic-privacy statute.
S. 863 — Genomic Data Protection Act (introduced 2025-03-05)Would require DTC genomic companies to provide simple deletion and sample-destruction mechanisms.Introduced and referred to committee; not enacted as of this dataset's date.
S. 1916 / H.R. 4492 — Don't Sell My DNA Act (introduced 2025)Would add genetic information to the Bankruptcy Code's PII definition, closing the § 101(41A) gap the 23andMe sale exposed.Introduced and referred to committee; not enacted as of this dataset's date.

Method & caveats

  • Three-register discipline: what the company said, what regulators found, and what courts held are never blended; every event row carries its register.
  • The widely cited 6.9 million total does not appear in any 23andMe SEC filing or company blog post; the company's own figures are ~14,000 credential-stuffed accounts, ~5.5 million DNA Relatives profiles, and ~1.4 million (blog) / ~1.5 million (SEC filings) Family Tree profiles. The UK ICO's penalty notice fixes the worldwide affected-customer figure at 6,984,430, and the company's bankruptcy first-day filings say approximately 7 million.
  • Settlement figures always carry their procedural status: the 42-office governmental stipulation ($18M recovery on a $150M allowed claim, against proofs of claim recited at approximately $100 billion face amount) was signed 2026-07-14 and awaits court approval; the class settlement's reported final approval of a $46.75M fund has not yet been reproduced from a court record.
  • The dataset was built without accessing, citing, or linking any leaked material. The documented targeting of customers by ancestry is reported exactly at the strength of the court and congressional record that describes it.
  • Deletion-request figures conflict in the official record — approximately 1.9 million (House Oversight testimony, 2025-06-10, and the bankruptcy court's 2025-06-27 opinion) versus 1.3 million (a Senate Judiciary printed transcript) — and are published side by side, never blended.
  • Regenerate/validate: python3 scripts/build_genetic_privacy.py — a fail-closed validator checks schema, enums, chronology, and scans for personal data before either copy is written; every source URL is probed for liveness by the weekly citation check.

Machine access

The full ledger — the statute annex, all 42 events with registers and procedural statuses, and the federal gap map — is one keyless fetch:

import requests
d = requests.get("https://ai-analytics.org/genetic-privacy/index.json").json()
pending = [e for e in d["events"] if e["status"] != "final"]
print(len(d["statutes"]), "statute rows;", len(pending), "events still resolving")

Also listed in the Voidly datasets manifest and /data. License: public-record sources; this compilation CC BY 4.0.

The information-rights companions: Data Protection (61 countries' privacy statutes — the global layer) and Right to Information (access laws) — this ledger is the domestic genetic layer: what happens when the most personal data there is meets the least prepared corner of the law.