23andMe $30M Data Breach Settlement: How Valuable Is Genetic Data?

In 2023, hackers targeted genetic testing company 23andMe. In the wake of the breach, the threat actors leaked stolen data, including data on users with Ashkenazi Jewish DNA and Chinese DNA, online. Now, 23andMe has agreed to pay $30 million to settle a class action  lawsuit.

When the breach occurred in 2023, threat actors leveraged credential stuffing cyberattack tactics to access user accounts. Once the hackers gained access to approximately 14,000 user accounts, they widened their access to 5.5 million DNA Relatives profiles and 1.4 million Family Tree feature profiles, according to a 23andMe blog post.

What does the settlement mean for the company and its impacted users? And could threat actors become increasingly motivated to go after genetic data?

The Settlement

“Roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage. We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement,” according to an emailed statement from a 23andMe spokesperson.

Without cyber insurance, the company may have faced a very different outcome. “If 23andMe did not have cyber insurance, this might be an enterprise-ending litigation,” says Kevin Szczepanski, a partner and co-chair of the data security and technology practice area at full-service law firm Barclay Damon.

Related:Sensitive Data of Millions Stolen in MSpy Breach

More tumult for the beleaguered company followed the settlement. On Sept. 17, shortly following news of the settlement, seven members of the 23andMe board of directors resigned. They left due to CEO and co-founder Anne Wojcicki’s plans to take 23andMe private, according to The Hill. Wojcicki is the chair and sole remaining member of the board.

“I think it shows how data breaches and resulting class action litigation can inflict serious financial and reputational harm on a company, often at the worst possible time,” says Szczepanski.

Genetic Data as a Target

While 23andMe navigates the finalization of the settlement and its board drama, there are bigger questions about the risks surrounding genetic data.

Hackers have a long track record of going after health care data, which can be leveraged for identity theft and health care fraud. Threat actors can net anywhere from $10 to $1,000 per stolen and sold medical record.

“The ability to calculate [those] damages has a little more of a track record, whereas DNA theft is still such a wide open field. Even though we know it could be serious, we don't have the actual data to back it up yet,” says George Pappas, CEO of Intraprise Health, a healthcare cybersecurity company.

Related:‘ShinyHunters’ Group Claims Massive Ticketmaster Breach

What could the potential damage of compromised genetic data look like? For one, genetic data is immutable. You can’t change it like you can password. Once it is on the dark web, there is little the victim can do other than remain vigilant for signs that their data is being used maliciously.

The consequences of genetic data theft can go beyond just identity theft or fraud. “The world is a dangerous place,” Szczepanski cautions. “So, if there is data out here that can identify by name, address, location, certain categories of individuals, there's always a safety risk … whether it's electronic attacks or even physical attacks.”

Those potential ramifications appear to be reflected in the proposed 23andMe breach settlement agreement. Under the agreement, settlement members will be entitled to reimbursement for “… expenses for identity fraud, the installation of physical security or monitoring systems, and professional mental health treatment.”

Genetic data collection is likely to increase for various purposes, such as biometrics and precision medicine. “This kind of information is already and will continue to be stored inside of electronic health record systems and other kinds of ancillary systems,” Pappas points out.

Related:Examining the National Public Data Breach and Risks for Data Brokers

As that organization amasses genetic data, hackers are likely to seek more paths to monetization.

“With AI and machine learning advancing, malicious actors could use such data for even more personalized and sophisticated attacks, underscoring the critical need for robust security measures across organizations handling this kind of information,” Patrick Tiquet, vice president of security and architecture at Keeper Security, a passwords and secrets management company, tells InformationWeek in an email interview.

Potential Regulatory Gaps

As the risks around genetic data become clearer, companies are likely to face an evolving regulatory landscape and the potential for increased liability.

Right now, the Health Insurance Portability and Accountability Acy (HIPAA) protects the privacy of consumers’ health information. But HIPAA applies to health care providers, not companies like 23andMe. Many states have data privacy laws that protect personal information, and genetic information certainly qualifies. Some states even have specific genetic privacy laws; the proposed 23andMe settlement includes cash payments for class members residing in those states. But a federal law for data privacy has yet to materialize.

The proliferation of genetic data also has potential ramifications for health care coverage. What happens when genetic data shows someone is predisposed to certain, costly, health conditions? Laws, such as the Genetic Information Nondiscrimination Act (GINA), are designed to protect people from health coverage and employment discrimination.

“But how strong is that? Has that been tested yet? Are there gaps in that law? So, we don't have enough case law to really understand what that looks like in practice,” says Pappas.

Genetic data is also a potentially valuable tool for targeted advertising by both legitimate companies and fraudulent actors. Should that personal information be fair game for companies? How can consumers be sure threat actors aren’t targeting them with malicious advertisements for fake medication for their current or future health risks?
“It's going to require some better policies and better regulations in the future,” says Pappas.

As hackers continue to find value in genetic data, they will be motivated to target 23andMe and any other company that safeguards this very personal information. It is going to be incumbent on enterprise leaders to evaluate their risks and mitigate them with appropriate measures, such as cybersecurity hygiene and cyber insurance.