When 23andMe burst into the mainstream, it sold millions of people on a simple promise: send us your DNA, and we’ll send you your origins, your health insights, and maybe even a long-lost relative. What the company didn’t emphasize nearly enough was the enormous responsibility that comes with holding such sensitive data responsibility it ultimately failed to uphold.
The newly announced settlement in the Canadian class action lawsuit is yet another reminder of just how serious that failure was.
In 2023, a massive breach exposed the genetic information of almost seven million users worldwide including nearly 320,000 Canadians. This wasn’t a trivial leak of usernames or passwords. This was genetic data: information you can’t change, can’t reset, and can’t ever truly take back once it’s exposed. The kind of information hackers can exploit in ways we’re only beginning to understand.
Now, after two Canadian class actions and the company’s bankruptcy filing in the U.S., 23andMe has agreed to a proposed settlement worth $4.49 million for affected Canadian customers. On paper, that sounds like accountability. In reality, it feels more like a bandage on a wound that shouldn’t have existed in the first place.
Yes, customers may eventually qualify for up to $2,500 in documented out-of-pocket reimbursements. But court approvals won’t be completed until 2026, and claimants have been told their next step is simply to “do nothing” and wait. Meanwhile, those who plan to sue independently must opt out by January 2, 2026. The process is moving at a legal pace slow, technical, and frustrating while the consequences of the breach remain very real and immediate for those affected.
What makes this breach particularly troubling is what came out of the Canadian and U.K. privacy investigation: 23andMe had “inadequate” security and was “slow to respond” to clear warning signs. Regulators described the breach as “profoundly damaging,” and rightly so. Genetic data is among the most sensitive categories of personal information far more revealing than a credit card number or email address.
For a company built entirely around genetic insight, failing at genetic security is an unforgivable contradiction.
The 23andMe breach should now stand as a warning for every company operating in the consumer DNA space. Collecting millions of people’s biological blueprints isn’t an exciting tech opportunity it’s a serious ethical obligation. If a company can’t protect that data, it has no business collecting it in the first place.
This settlement may close a chapter for 23andMe, but it should open a larger discussion for the public: How much are we willing to trust private companies with information that defines us at our most fundamental level?
The cautionary tale is clear. Whether the industry chooses to learn from it is another matter entirely.
