Voidly · Genetic privacy
The Genetic Privacy Ledger — the 23andMe Breach and the Statute Wave
In 2023, recycled passwords opened roughly 14,000 accounts at 23andMe, and through them the profiles of millions. Within three years the company had been fined on two continents, sued by more than forty attorneys general, and sold through a bankruptcy court — the first time the fate of a genetic database was decided as an asset of a failed company. This ledger holds that whole chain of custody, event by documented event, alongside the 12-state statute wave that is its lasting legacy.
Statutes, courts, and regulators only; zero personal data. No breach victim is named or identifiable here; no leaked material was accessed, cited, or linked in building this dataset; every aggregate figure comes from an official document. Each event row carries its register — what the company said, what regulators found, what courts held — and figures that are not yet adjudicated say so. The documented targeting of customers by ancestry is reported exactly at the strength of the court and congressional record, and no further. To dispute or correct an entry, contact us. Built under our data standards.
- State DTC statutes
- 12
- Documented events
- 42
- UK ICO penalty
- £2.31M
- Bankruptcy sale
- $305M
What the regulators found
The UK Information Commissioner's 153-page penalty notice is the sharpest technical account on the record. Its findings, at paragraph level:
- The attack ran roughly five months — late April to late September 2023 — before a threat actor's online post surfaced it.
- 0.2% of customers worldwide had multi-factor authentication enabled. No account using single sign-on was breached.
- The company's compromised-password check drew on a list of about 20,000 passwords — while its subscription to a 14-billion-credential breach database went unused.
- The final penalty: £2,310,000, reduced from a proposed £4.59M in light of the company's financial position — affecting 6,984,430 customers worldwide by the ICO's count. Canada's privacy commissioner published parallel joint findings.
The custody chain (42 documented events, 2023–2026)
Every event carries its register and source. Where a figure is not yet adjudicated — a stipulation awaiting a judge's signature, a settlement approval so far reported only by press — the row says so.
- 2023-04-29The credential-stuffing attack beginsRegulator finding
Per the UK ICO's penalty notice, the attack ran from about April 29 to September 20, 2023 — roughly five months — using passwords reused from other breached sites. source
- 2023-10-01A threat actor posts a claim onlineCompany statement
The company's SEC amendment records that on October 1, 2023 a threat actor posted a claim to have users' profile information, and that an investigation began immediately with third-party incident-response experts. source
- 2023-10-0623andMe discloses the incidentCompany statement
The company publishes its first blog statement, attributing the access to credential stuffing and stating its own systems were not breached. source
- 2023-10-10Form 8-K furnished; all users forced to reset passwordsCompany statement
The first SEC disclosure is furnished, and the company requires a password reset for every account. source
- 2023-10-20Senate HELP ranking member sends an 11-question letterCongressional record
The letter cites reporting that data on 1.3 million customers was posted, that one posting was titled as an Ashkenazi dataset, and that records were offered at $1 to $10 each. source
- 2023-10-31Connecticut's attorney general demands answersState attorney general
The state letter cites offerings of at least one million profiles of Ashkenazi Jewish heritage and hundreds of thousands of customers of Chinese ancestry. source
- 2023-11-06Two-step verification becomes mandatoryCompany statement
The company requires email two-step verification for all new and existing customers — MFA had been optional, with regulator findings later fixing pre-breach adoption at 0.2% of customers. source
- 2023-12-01The full scope is disclosed by amendmentCompany statement
The 8-K/A states the investigation is complete: about 14,000 accounts (0.1%) were credential-stuffed, through which approximately 5.5 million DNA Relatives profiles and 1.5 million Family Tree profiles were accessed. source
- 2023-12-05Final company figures on the blogCompany statement
The blog update gives roughly 14,000 accounts of 14 million customers, and puts the Family Tree figure at approximately 1.4 million — the widely cited 6.9 million total is the sum of the categories, and appears in neither the filings nor the blog. source
- 2024-01-11A House member asks the FBI to investigate the targeted listsCongressional record
The letter describes about one million users of Ashkenazi Jewish heritage on a curated list — 17.2 percent of the American Jewish population. source
- 2024-01-26The Melvin complaint documents the listsCourt record
The class complaint alleges one million profiles of Ashkenazi Jews offered as of the October 1 leak (¶36) and 100,000 Chinese customers' data posted with 350,000 records claimed (¶38). source
- 2024-04-16Roughly 40 federal suits centralized as MDL 3098Court record
The Judicial Panel on Multidistrict Litigation centralizes the federal cases in the Northern District of California. source
- 2024-06-26Consolidated class action complaint filedCourt record
The consolidated complaint follows the April consolidation of the federal cases. source
- 2024-07-29A $30 million settlement term sheet is executedCompany statement
The company's 10-Q discloses a confidential term sheet agreeing all material terms including payment of $30.0 million; the company separately disclosed $22.1 million in probable insurance recoveries. source
- 2024-09-12Preliminary approval sought for a $30M non-reversionary fundCourt record
The motion describes extraordinary claims up to $10,000 for documented losses, statutory cash claims, and health-information claims; the class is about 6.4 million US residents. source
- 2024-12-04Conditional preliminary approval — and the court states the targetingCourt record
The order conditionally grants preliminary approval and records that cybercriminals specifically targeted customers of Ashkenazi Jewish and Chinese descent, offering their data for sale; nearly 16,000 individual arbitrations had been filed by mid-September 2024. source
- 2025-03-05The Genomic Data Protection Act is introducedCongressional record
S. 863 would require direct-to-consumer genomic testing companies to provide simple deletion and sample-destruction mechanisms. source
- 2025-03-21California's attorney general issues an urgent consumer alertState attorney general
Ahead of the widely reported financial distress, the alert reminds customers of their deletion and sample-destruction rights under the state's Genetic Information Privacy Act. source
- 2025-03-2323andMe files Chapter 11Court record
The petition is filed in the Eastern District of Missouri (No. 25-40976) to run a sale process for substantially all assets — including the genetic database. source
- 2025-03-31The FTC chairman warns the trusteeRegulator finding
The letter enumerates the categories of data 23andMe holds, quotes the privacy statement's bankruptcy clause, and states that any purchaser should be bound by the privacy promises made to consumers. source
- 2025-04-15House Oversight opens an inquiryCongressional record
The committee requests documents on the bankruptcy and the data's fate from the company's co-founder as a board member. source
- 2025-04-17House Energy & Commerce sends ten questionsCongressional record
The letter to the interim chief executive covers post-sale privacy protections and enforcement of buyer commitments. source
- 2025-04-28Senate Intelligence leaders press DOJ and the FTCCongressional record
The bipartisan letter urges both agencies to exercise the full scope of their authorities in the bankruptcy. source
- 2025-04-29The parties stipulate to a Consumer Privacy OmbudsmanCourt record
A joint stipulation and agreed order (Dkt. 346) provides for the appointment under 11 U.S.C. § 332 to examine the sale of personally identifiable information. source
- 2025-05-06The Consumer Privacy Ombudsman is appointedCourt record
The US Trustee's notice (Dkt. 388) formalizes the appointment. source
- 2025-05-19Regeneron wins the first auction at $256 millionCompany statement
After a seven-bidder auction opening at $52 million, the pharmaceutical company's bid is selected; the auction is later reopened. source
- 2025-05-22The Don't Sell My DNA Act is introducedCongressional record
S. 1916 would amend the Bankruptcy Code's definition of personally identifiable information — which does not currently enumerate genetic data — to include it. source
- 2025-06-05The UK ICO fines 23andMe £2,310,000Regulator finding
The penalty notice — reduced from a proposed £4.59 million for financial position — finds the attack ran about five months, that 6,984,430 customers worldwide were affected (155,592 in the UK), that only 0.2% of customers had MFA enabled, and that the compromised-password check used about 20,000 passwords while a subscribed 14-billion-credential database went unused. source
- 2025-06-0927 states and DC sue over the saleState attorney general
The adversary complaint (No. 25-04035) seeks a declaration that customers hold ownership and control rights in their biological samples and genetic data, and that the data cannot be sold without express, informed consent. source
- 2025-06-10House Oversight hearing on the saleCongressional record
The interim chief executive testifies that about 1.9 million customers — roughly 15% — had requested deletion since the bankruptcy, and commits that the data will not be sold to foreign adversaries; a Senate transcript the next day records a 1.3 million figure uncorrected. source
- 2025-06-11The ombudsman's 211-page report is filedCourt record
The court-appointed Consumer Privacy Ombudsman's report (Doc 718) examines whether and how genetic data can be sold in bankruptcy — the landmark primary document of the case. source
- 2025-06-13TTAM wins the reopened auction at $305 millionCourt record
The nonprofit founded by the company's co-founder and former chief executive outbids Regeneron in the final round. source
- 2025-06-17Canada's privacy commissioner publishes joint findingsRegulator finding
PIPEDA Findings #2025-001 — the Canadian half of the joint investigation with the UK ICO — finds contraventions affecting 319,635 Canadians. source
- 2025-06-27The court approves the $305M saleCourt record
The memorandum opinion records about 13 million customers, roughly 1.9 million post-petition account deletions, more than 30 states initially objecting with five still opposed, and conditions binding the buyer to the privacy promises. source
- 2025-07-14The sale closesCompany statement
TTAM takes ownership of the assets for $305 million total; objecting states' releases record negotiated conditions including verified permanent deletion rights and restrictions on resale. source
- 2025-07-17The House companion to Don't Sell My DNA is introducedCongressional record
H.R. 4492 carries identical operative text amending the Bankruptcy Code's PII definition. source
- 2025-10-02The re-cut class settlement gets bankruptcy preliminary approvalCourt record
The revised settlement — a non-reversionary fund of at least $30 million through the Plan Administration Trust — is preliminarily approved, with a final hearing set for January 20, 2026. source
- 2025-12-01The Chapter 11 plan is confirmedCourt record
The confirmation order enters for the wind-down debtor, by then renamed Chrome Holding Co. source
- 2025-12-04The public company deregistersCompany statement
Chrome Holding Co. files Form 15-12G, formally ending 23andMe's life as a public company. source
- 2026-05-28California sues separatelyState attorney general
The state's complaint — filed outside the multistate coalition — documents the targeting of about 1.1 million individuals of Ashkenazi Jewish heritage and hundreds of thousands of individuals of Chinese ancestry (¶42). source
- 2026-07-07Final approval of a $46.75M class fund is reportedCourt record
Press reports final approval of the enlarged settlement fund; the figure has not yet been reproduced from a court record and ships here as pending verification. source · Press-reported; pending court-record verification
- 2026-07-1442 attorney-general offices stipulate an $18M resolutionState attorney general
The joint stipulation allows the signatory governmental claims at $150 million with an $18 million cash recovery — against proofs of claim recited at approximately $100 billion face amount — plus a five-year ban on the wind-down estate's consumer sales and PII collection. California is not a signatory. The published copy's approval line is unsigned; the stipulation takes effect upon court approval. source · Awaiting court approval
The statute wave (12 DTC-model states, 2021–2026)
Twelve states enacted near-template direct-to-consumer genetic-privacy statutes: express consent with separate consents per purpose, deletion of account and data, destruction of the biological sample, and — in most — attorney-general enforcement at $2,500 per violation. Two carry a private right of action: Illinois (1998) and Wyoming.
| State | Law | Effective | Enforcement | Private action |
|---|---|---|---|---|
| Arizona | HB 2069 — Genetic Information Privacy Act · A.R.S. §§ 44-8001 to 44-8004 | 2021 (approved 2021-04-20) | Attorney general; civil penalty up to $2,500 per violation | No |
| Utah | SB 227 — Genetic Information Privacy Act · Utah Code § 13-60-101 et seq. | 2021-05-05 | Attorney general; civil penalty up to $2,500 per violation | No |
| California | SB 41 — Genetic Information Privacy Act · Cal. Civ. Code § 56.18 et seq. | 2022-01-01 (approved 2021-10-06) | Attorney general and local prosecutors; civil penalties | No |
| Wyoming | HB 86 (2022 Enrolled Act No. 8) · Wyo. Stat. §§ 35-32-101 to 35-32-105 | 2022-07-01 (signed 2022-03-08) | Criminal penalty; private civil action (60-day notice-and-cure); AG enforcement up to $2,500 per violation | Yes |
| Kentucky | HB 502 — Genetic Information Privacy Act · KRS 311.705 (2022 Ky. Acts ch. 169) | 2022 (session act) | Attorney general enforcement | No |
| Maryland | HB 866 — Genetic Information Privacy Act · Md. Code, Com. Law §§ 14-4401 to 14-4408 (2022 Md. Laws Ch. 501) | 2022-10-01 | Enforcement under Maryland consumer-protection law | No |
| Montana | SB 351 — Genetic Information Privacy Act · Mont. Code Ann. § 30-23-101 et seq. | 2023-10-01 (signed 2023-06-07) | Attorney general; civil penalty up to $2,500 per violation | No |
| Tennessee | HB 1310 / SB 1295 — Genetic Information Privacy Act (Pub. Ch. 324) · Tenn. Code Ann. §§ 47-18-4901 to 47-18-4906 | 2023-07-01 (signed 2023-04-28) | Attorney general enforcement | No |
| Texas | HB 2545 · Tex. Bus. & Com. Code Ch. 503A | 2023-09-01 | Attorney general; civil penalty up to $2,500 per violation | No |
| Virginia | SB 1087 · Va. Code §§ 59.1-593 to 59.1-602 | 2023-07-01 | Attorney general enforcement | No |
| Nebraska | LB 308 — Genetic Information Privacy Act · Neb. Rev. Stat. §§ 87-901 to 87-904 | 2024-07-17 (approved 2024-02-13) | Attorney general enforcement | No |
| South Dakota | SB 49 · 2026 session law (SB 49) | 2026-07-01 (signed 2026-03-23) | Attorney general enforcement | No |
Beyond the template
- Illinois — Genetic Information Privacy Act (1998): The oldest statute in the set: a private right of action with liquidated damages of $2,500 per negligent violation or $15,000 per intentional or reckless violation, plus attorney's fees — the strongest enforcement in the set. A growing GIPA class-action docket followed the 2023 breach era.
- Florida — CS/HB 833 — Protecting DNA Privacy Act (2021): A distinct criminal/property model, not the DTC consent template — counted separately from the twelve DTC-model states.
- Texas — HB 130 — Texas Genomic Act of 2025 (2025): Prohibits storing genome-sequencing data within foreign-adversary borders and restricts sale or transfer of genomic data in bankruptcy to foreign adversaries — a direct post-23andMe-bankruptcy provision.
- Florida — SB 768 (2025): Bars the Department of Health's clinical and environmental laboratories from using genetic-sequencing software produced in or by a foreign country of concern, a state-owned enterprise of one, or a company domiciled in one.
- Utah — HB 182 (2026): Restricts foreign adversaries' access to genetic-sequencing data; exempts clinical-trial data and DOJ Data Security Program-permitted transfers.
- Wisconsin — AB 673 (2026): Passed the legislature and was vetoed, with the veto message citing potential harm to medical and research collaborations — the wave's notable counterexample.
The federal gap
Why did a bankruptcy court decide the fate of fifteen million genomes? Because no federal statute stood in the way. What each law holds — and where it stops:
| Law | What it holds | The gap |
|---|---|---|
| HIPAA | Governs protected health information held by covered entities — providers, plans, clearinghouses — and their business associates. | Direct-to-consumer genetic testing companies are not covered entities; HIPAA never applied to 23andMe's consumer database. |
| GINA (2008) | Bars genetic discrimination in employment (15+ employees) and health insurance. | Does not reach life, disability, or long-term-care insurance — the coverage lines a genetic profile most directly prices. |
| 11 U.S.C. § 101(41A) | Defines personally identifiable information for bankruptcy purposes. | The definition does not enumerate genetic information — the gap the Don't Sell My DNA Act targets. |
| 11 U.S.C. § 332 | Provides for a Consumer Privacy Ombudsman, appointed at least 7 days before a PII-sale hearing, to advise the court. | Advisory only — the ombudsman informs the court; the provision does not itself bar any sale. |
| 11 U.S.C. § 363(b)(1) | Permits sale of PII either consistent with the debtor's privacy policy, or after ombudsman appointment and court findings. | The privacy policy itself — including its clause contemplating transfer in bankruptcy — sets the baseline the sale is measured against. |
| FTC Act § 5 (as applied to genetic data) | The first FTC genetic-privacy enforcement — In re 1Health.io/Vitagene (complaint June 2023, order finalized September 2023) — required $75,000 in refunds and destruction of retained DNA samples after unencrypted genetic data sat in public storage. | Case-by-case enforcement against deception and unfairness, not a standing federal genetic-privacy statute. |
| S. 863 — Genomic Data Protection Act (introduced 2025-03-05) | Would require DTC genomic companies to provide simple deletion and sample-destruction mechanisms. | Introduced and referred to committee; not enacted as of this dataset's date. |
| S. 1916 / H.R. 4492 — Don't Sell My DNA Act (introduced 2025) | Would add genetic information to the Bankruptcy Code's PII definition, closing the § 101(41A) gap the 23andMe sale exposed. | Introduced and referred to committee; not enacted as of this dataset's date. |
Method & caveats
- Three-register discipline: what the company said, what regulators found, and what courts held are never blended; every event row carries its register.
- The widely cited 6.9 million total does not appear in any 23andMe SEC filing or company blog post; the company's own figures are ~14,000 credential-stuffed accounts, ~5.5 million DNA Relatives profiles, and ~1.4 million (blog) / ~1.5 million (SEC filings) Family Tree profiles. The UK ICO's penalty notice fixes the worldwide affected-customer figure at 6,984,430, and the company's bankruptcy first-day filings say approximately 7 million.
- Settlement figures always carry their procedural status: the 42-office governmental stipulation ($18M recovery on a $150M allowed claim, against proofs of claim recited at approximately $100 billion face amount) was signed 2026-07-14 and awaits court approval; the class settlement's reported final approval of a $46.75M fund has not yet been reproduced from a court record.
- The dataset was built without accessing, citing, or linking any leaked material. The documented targeting of customers by ancestry is reported exactly at the strength of the court and congressional record that describes it.
- Deletion-request figures conflict in the official record — approximately 1.9 million (House Oversight testimony, 2025-06-10, and the bankruptcy court's 2025-06-27 opinion) versus 1.3 million (a Senate Judiciary printed transcript) — and are published side by side, never blended.
- Regenerate/validate:
python3 scripts/build_genetic_privacy.py— a fail-closed validator checks schema, enums, chronology, and scans for personal data before either copy is written; every source URL is probed for liveness by the weekly citation check.
Machine access
The full ledger — the statute annex, all 42 events with registers and procedural statuses, and the federal gap map — is one keyless fetch:
import requests
d = requests.get("https://ai-analytics.org/genetic-privacy/index.json").json()
pending = [e for e in d["events"] if e["status"] != "final"]
print(len(d["statutes"]), "statute rows;", len(pending), "events still resolving")Also listed in the Voidly datasets manifest and /data. License: public-record sources; this compilation CC BY 4.0.
The information-rights companions: Data Protection (61 countries' privacy statutes — the global layer) and Right to Information (access laws) — this ledger is the domestic genetic layer: what happens when the most personal data there is meets the least prepared corner of the law.