OKLAHOMA CITY (July 16, 2026) – Attorney General Gentner Drummond announced today that Oklahoma will receive $276,435 as part of a multistate settlement over 23andMe's 2023 data breach. The breach exposed the genetic and personal data of more than 78,000 Oklahomans.
The settlement, negotiated with the bankruptcy trustee overseeing 23andMe's Chapter 11 case, resolves claims that the company failed to protect customers' sensitive genetic information. Drummond joined a coalition of 42 attorneys general in the agreement, which allows $150 million in total claims but limits actual payouts to $18 million because of the limited funds available in 23andMe's bankruptcy estate.
“When Oklahomans signed up for 23andMe and shared their DNA, they trusted the company to protect some of the most personal information a person can share. Instead, that trust was betrayed,” Drummond said. “This settlement won't undo the damage, but it holds 23andMe accountable and puts guardrails in place to prevent this from happening again.”
In October 2023, the genetic testing company announced that it had discovered a data breach affecting 6.9 million customers. This data breach exposed a wide range of data about 23andMe customers, including in some cases genetic ancestry information, and subsets of this data were subsequently published for sale on the dark web.
23andMe learned about the breach months after impacted personal information was publicly available. At first, the company denied a breach and then, once it confirmed the breach, blamed consumers for how their accounts were set up or how passwords were used.
A multistate investigation led by state attorneys general found 23andMe had failed to take basic security precautions, including checking passwords against lists of known stolen passwords, requiring extra login verification, monitoring for suspicious login activity, and fixing known security weaknesses even after they were identified.
23andMe filed for bankruptcy in March 2025, and as part of that process, the company's assets, including its customer data, were sold to a new nonprofit, TTAM Research Institute, founded by 23andMe's former CEO, Anne Wojcicki. That nonprofit has since reregistered as 23andMe Research Institute and agreed to stronger data security and privacy protections going forward, including allowing customers to delete their data and creating an outside advisory board to oversee security practices.
Separately, 23andMe has also agreed to pay $46.75 million to settle a related class-action lawsuit for consumers who filed claims by February 17, 2026.