23andMe's $3.25M Payout: A Reckoning for Genetic Data Privacy in Canada

TORONTO, ON – March 27, 2026 – A US$3.25 million settlement has been finalized in the Canadian class action lawsuit against personal genomics giant 23andMe, now operating under the parent company Chrome Holding Co., following a massive 2023 data breach that exposed the highly sensitive genetic information of millions. The claims process is now open for Canadian customers whose data was compromised, marking a critical chapter in a saga that has traversed international borders, bankruptcy courts, and raised profound questions about the security of our most personal data.

The settlement, which received final approval from both the Supreme Court of British Columbia and a U.S. Bankruptcy Court, provides a path to compensation for Canadians affected by the incident. However, the case's complex journey and the nature of the stolen data have cast a long shadow over the entire direct-to-consumer genetics industry.

A Breach Beyond Passwords

The incident, which 23andMe first disclosed in October 2023, was not a typical hack. Rather than breaching the company's core servers, cybercriminals employed a "credential stuffing" technique. They used massive lists of usernames and passwords stolen from other, unrelated data breaches to systematically test and gain access to 23andMe accounts where users had recycled their credentials.

While this method initially compromised approximately 14,000 accounts directly, the true scale of the breach was magnified exponentially by one of 23andMe's core features: "DNA Relatives." This tool, designed to connect users with genetic relatives, allowed attackers to pivot from a single compromised account to scrape the data of millions of other connected users. Ultimately, the personal information of approximately 6.9 million people globally, including nearly 320,000 Canadians, was exposed.

What set this breach apart was the unprecedented sensitivity of the compromised data. It included not just names and birth years, but immutable genetic information such as ethnicity estimates, ancestry details, and for some, health predisposition reports. Most alarmingly, the hacker, known online as "Golem," specifically curated and advertised lists of users with Ashkenazi Jewish and Chinese ancestry, raising fears of targeted ethnic and geopolitical misuse.

The company's initial response drew sharp criticism when it appeared to place blame on users for poor password hygiene. A joint investigation by the privacy commissioners of Canada and the United Kingdom later concluded that 23andMe had failed to implement adequate security measures, such as mandatory multi-factor authentication, which could have prevented the attack. The regulators found the company's safeguards were insufficient and its response to the breach was inadequate.

A Tangled Web of Litigation and Insolvency

The legal aftermath of the breach was as complex as the attack itself. Class action lawsuits were filed in both Canada and the United States. The Canadian action, filed in British Columbia, named 23andMe, its former directors, and its auditor, KPMG LLP, as defendants.

The proceedings took a dramatic turn in March 2025 when 23andMe's parent company filed for Chapter 11 bankruptcy in the United States, citing the financial strain from the data breach and weakening demand for its products. This move shifted the legal battleground, intertwining the Canadian class action with U.S. insolvency law. The US$3.25 million settlement was ultimately negotiated and approved within this bankruptcy framework, a process legal experts note is a significant precedent. It is believed to be the first time a Canadian class action has been certified and settled within a U.S. Chapter 11 proceeding.

This cross-border legal maneuvering culminated in a series of approvals, first from the U.S. Bankruptcy Court for the Eastern District of Missouri and subsequently recognized by the Supreme Court of British Columbia under the Companies' Creditors Arrangement Act. Following the bankruptcy, 23andMe's assets were acquired by TTAM Research Institute, a non-profit led by co-founder Anne Wojcicki, allowing the genomics company to continue operations under a restructured entity.

The Price of Privacy and the Limits of Law

While the settlement provides a measure of accountability, questions remain about its adequacy. The US$3.25 million fund must cover all legal fees, administrative costs, and taxes before being distributed among potentially hundreds of thousands of claimants. Eligible class members can submit a claim for a base payment or seek up to C$2,500 for documented out-of-pocket losses. In contrast, a similar U.S. class action resulted in a US$30 million settlement, and the UK's Information Commissioner's Office (ICO) levied a fine of £2.31 million (approx. C$4.2 million) for the company's security failures.

Canada's privacy laws, however, do not currently grant the federal Privacy Commissioner the authority to issue such fines. Privacy Commissioner Philippe Dufresne has used the 23andMe case to amplify calls for legislative reform, arguing that Canada needs modernized privacy laws with stronger enforcement powers to protect its citizens and align with international standards. The joint investigation's findings serve as a stark warning to all organizations handling sensitive data about the necessity of proactive and robust cybersecurity, rather than reactive measures after a breach occurs.

The inclusion of auditor KPMG LLP in the lawsuit also signals a potential shift in corporate accountability, suggesting that auditors may face greater scrutiny over their role in assessing a company's cybersecurity posture.

For affected Canadians, the path to compensation is now clear. Canadian residents who were 23andMe customers between May 1, 2023, and October 1, 2023, and received a breach notification are eligible to file a claim. The deadline for submission is 11:59 pm Pacific Time on June 25, 2026. All inquiries regarding the claims process are being directed to the court-appointed administrator, Concilia Services Inc., and detailed information is available on the official settlement website.