Canadians affected by a 23andMe data security breach have until late June to claim their share of a $4.5-million class-action settlement.
The settlement, which has now been approved by U.S. and Canadian courts, comes after hackers improperly accessed the personal data of 6.9 million 23andMe customers, including nearly 320,000 Canadians. Compromised data from the 2023 breach at the genetic testing company included highly sensitive information about users’ health, race, ethnicity, gender, relatives and birthdays. Customer data was also posted for sale on the dark web.
The US$3.25 million settlement is equal to about C$4.5 million. Canadians impacted by the breach now have until the end of the day on June 25 to submit an online claim for compensation.
According to an earlier press release, eligible claimants could receive up to $2,500 each if they incurred and documented expenses as a result of the breach. Eligible claimants without proof of additional expenses could receive approximately $17.77.
Proceeds from the class-action settlement are available to anyone who was a 23andMe customer between May 1 and Oct. 1, 2023, who resided in Canada and was notified that their personal information was compromised.
The settlement allows 23andMe to avoid admitting guilt or liability in connection with the data breach. 23andMe previously agreed to pay US$30 million to settle a similar class-action lawsuit in the U.S.
Canadian class actions were filed in the Supreme Court of B.C. in October 2023 and September 2024. After clearing U.S. and Canadian bankruptcy courts, the US$3.25-million settlement was finalized on March 16. Legal fees of 33 per cent will be deducted from the total.
Bankruptcy and an official investigation
Founded in 2006, 23andMe’s business is based on at-home DNA test kits that use saliva samples to provide genetic insights about health risks and ancestry. The California-based company went public in 2021, but never made a profit. After 23andMe filed for bankruptcy in March 2025, it was sold to a non-profit led by 23andMe co-founder Anne Wojcicki for US$305 million.
In June, a joint investigation by privacy officials in Canada and the U.K. found that 23andMe failed to take basic steps to protect customer data, leading to a £2.3 million (C$4.2 million) fine in the U.K. Canada does not have the power to impose a similar penalty under current privacy laws.
“With data breaches growing in severity and complexity, and ransomware and malware attacks rising sharply, any organization that is not taking steps to prioritize data protection and address these threats is increasingly vulnerable,” privacy commissioner of Canada Philippe Dufresne said at the time. “Our investigation found that these types of security measures were not in place at 23andMe.”
In a previous statement to CTVNews.ca, a 23andMe spokesperson said that by the end of 2024 the company “had implemented multiple steps to increase security to protect individual accounts and information.” 23andMe’s new owner, they added, has “made several binding commitments to enhance protections for customer data and privacy,” including allowing users to delete their accounts and opt out of having their information used for research.
With files from The Canadian Press
