Victims of the massive 23andMe cybersecurity incident have limited time remaining to secure their share of a substantial settlement fund. The genetic testing company reached an agreement to pay between $30 million and $50 million to affected customers following a 2023 cyberattack that compromised personal information belonging to roughly 6.4 million Americans. With the company’s subsequent bankruptcy filing in 2025 raising additional privacy concerns, the court-approved settlement offers one of the final opportunities for impacted users to receive compensation. The deadline for submitting claims is February 17, 2026.
Settlement Payment Structure and Amounts
The compensation framework includes multiple payment categories based on the severity of impact experienced by victims. Those who suffered the most serious consequences, including identity theft or fraudulent tax return filings directly linked to the breach, may receive up to $10,000 in reimbursement for documented expenses. These extraordinary damages can cover costs for security measures, both digital and physical, as well as mental health counseling expenses.
Customers whose sensitive health data was exposed during the incident are eligible for payments reaching $165. This category encompasses genetic information, health predisposition analyses, wellness assessments, carrier status evaluations, and self-disclosed medical conditions. Residents of Alaska, California, Illinois, and Oregon qualify for an additional $100 payment due to enhanced state privacy protections. Recipients should expect delays in payment distribution as the settlement process unfolds.
Beyond monetary compensation, all eligible class members will receive five years of specialized identity protection services through the Privacy & Medical Shield + Genetic Monitoring program, regardless of their individual payout amount.
Filing Requirements and Process
To qualify for compensation, individuals must have maintained active 23andMe accounts between May 1, 2023, and October 1, 2023, and received official notification of the data compromise. Claimants must also demonstrate they suffered actual harm, whether financial or otherwise, as a direct result of the security incident.
The claims process can be completed through the official settlement website’s online portal, or by submitting physical documentation via mail with a postmark no later than February 17. Successful claims require personal identification information and detailed evidence of damages, including financial statements or other supporting materials that verify losses attributed to the breach.
Photo by Frankie Lopez on Unsplash
