23andMe to Settle Class Action Data Breach Lawsuit

by | Jul 22, 2024

23andMe based in San Francisco has proposed an agreement to resolve a class action lawsuit that was submitted because of a breach of consumer information in 2023. The breach happened in October 2023 and the attacker stole the data of around 6.9 million people, about 50% of its consumers. There breach did not affect 23andMe’s network, but a threat actor performed a credential-stuffing attack that permitted access to some consumer accounts. About 14,000 personal accounts were breached, approximately 0.1% of its consumers.

When 23andMe discovered the breach, the blame was put on the poor security practices of customers. The accounts are only accessed since the impacted consumers had utilized similar username/password combinations that were used to protect accounts on unconnected platforms. Whenever those third-party platforms encountered data breaches and credentials were compromised, they could be taken to get access to any other account that used the credentials, which in this instance was 23andMe.

Data acquired from those accounts involved uninterrupted raw genotype information, health predisposition studies, and carrier-status research. The threat actor likewise accessed the DNA Relatives feature. With that feature, the threat actor viewed the profile data of about 5.5 million 23andMe users and the Family Tree data of another 1.4 million people. The threat actor then posted datasets for sale, which include consumers who have Jewish and Chinese descent.

23andMe is facing over 24 lawsuits because of the data breach. The plaintiffs’ lawyers stated that the datasets available for sale can be utilized as a hit list. Jews could be targeted. The intelligence agencies of the People’s Republic of China can use the Chinese dataset to target dissidents. Although access to the 14,000 accounts was intended to reuse the customers’ passwords, lawyers for the plaintiffs contended that 23andMe ought to have done more to secure users’ sensitive information.

They claimed that 23andMe ought to have known the likelihood of a cyberattack, should have done something to minimize the risk, and ought to have had appropriate data breach procedures set up and HIPAA training. Additionally, the company ought to have informed consumers of Jewish and Chinese descent that the datasets were exposed and that they could be attacked. The lawsuits additionally claimed that 23andme lied concerning data protection and did not use security as per industry requirements, then lied regarding the extent and seriousness of the breach.

In a court hearing, lawyers representing 23andMe revealed that a settlement was agreed in theory to end the litigation. The company is completing the specifics and expects to create an executive term sheet over the following week and will then write a complete settlement agreement of U.S. claims relating to the 2023 ‘credential stuffing’ security incident. This settlement is for the benefit of 23andMe consumers.

Lawyers representing the plaintiffs and class contended that as per the Illinois Genetic Information Privacy Act, a number of the class were owed as much as $3 billion in damages. In its yearly report, 23andMe shared that the company has approximately $216 million in funds, so any continuing legal action to acquire sizeable damages risked 23andMe submitting for bankruptcy. The conditions of the settlement were not yet revealed, however, the settlement will probably include payment for dark web tracking services and non-monetary aid. A court hearing is scheduled for July 30 with news on the term sheet and a motion for initial approval of the offered settlement is anticipated to be submitted in a few months.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy