So, what about healthcare? Back to paper records? Because it's not acceptable to me that everyone in the world will eventually see my private medical records.
You should also assume your MegaCorp, if you work for one, has also already seen them (in many cases they can buy them from various data brokers or even off the grey market).
I'm not saying this is the way things should be, just things as I know them to be.
What remedial steps would you support, out of interest?
For example, if someone could have their current life become, essentially "redacted", and receive an entirely new one with fairly low barrier of entry, would that be something you would support?
I do agree that once it's out, it's out and you can't really "go back" or have any expectation that what you put out there will somehow magically be "safe", but I think there ought to be a means to hard reset; a burn everything to the ground, and start from square one option.
To head off the inevitable questions of some variation of, "...but what about abuse?" from the croud, I would generally ask:
Abuse to whom? The person who's entire existence is irrevocably captured, documented, data mined, and optimized for malicous intent? Or the random mouth breath8ng schlub who abuses the opportunity to do something nefarious before getting caught and going to prison?
It's not clear to me that I should care if my data was in the breach. For my data to have been in the breach the following must have happened.
1. I opted in to sharing my information with everyone that 23andMe identified as relatives. "Relatives" in this context means genetic 4th cousins or closer. For me that turned out to be 1500 people, all of whom are as far as I know complete strangers to me (I'm adopted).
2. One or more of those 1500 people used the same password on 23andMe that they used on some other site that suffered a breach that gave up plaintext passwords.
3. That password was included in a credential stuffing attack that let someone get into their 23andMe account, where that intruder downloaded the account owner's relatives list which included my information.
When I chose to share my data with 1500 strangers I was pretty much conceding that I didn't really care who got it.
Yeah, I agree this is pretty overblown. On GEDmatch, you basically give everyone the information in your SNP reads - you can compare arbitrary people there, not just yourself to "close" relatives. The only condition is that you give others the same access as you want for yourself. It's very useful for genetic genealogy.
Technically, you could probably get access to and scrape all that data by uploading fake data, or someone else's. It will do very little useful unless you're into genealogy.
I may actually try my hand in conciliation court against them on this one. I received a test kits back around 2015 from a family member, but was disgusted at the idea that there was no possible way they 1) wouldn't go under and sell my data 2) be breached. I feel like these sort of outcomes for these types of services are very obvious as highly likely to anyone who works in proximity to tech, and especially startups.
Anyway, I never submitted the test. But I know for a fact that family has. It's really annoying to that others can make these sort of linked decisions for you - especially as we are now acutely aware that this type of data can, will and I'm sure is being used in ways that basically nobody would consent to.
There was no SQL injection. The attack was basically the same as if someone stole the password to a friend's Facebook account, and proceeded to scrape the posts everyone else had made visible to that friend.
Some would say SNP data is more valuable than your posting history. I'm not so sure, since after all 23andMe went bankrupt trying to monetize their data and reddit didn't. It seems possible to me that a post where you say you do X is more useful to advertisers and political propagandists/spies, than a SNP which suggests you're 20% more likely to do X.
I am reading more on the vector of attack used on 23andme and it seems they used credentials from other data breaches. This never would have happend with MFA, even SMS confirmation would've been enough.
It's insane that a company that literally stores DNA data didn't have the most basic defenses against data breaches that would take an intern 15 minutes to read about.
> Up to $10,000 for Extraordinary Claims;
> Up to $165 for Health Information Claims;
> An estimated $100 for Statutory Cash Claims; and
> 5 years of Privacy & Medical Shield + Genetic Monitoring
None of these make the victims whole. The typical customer would rather pay $1000 to not have their private medical records stolen. Giving them just $165 or a few years of monitoring is insulting. What does that monitoring even achieve?
There is no way to make victims whole for this negligence; what is on offer is arguably the best that can done for a failure to properly implement customer identity and access management systems and processes for personal genomic user data.
(disclosure: I am a member of the class, as is most of my family, no other affiliation)
This kind of fatalism is the antithesis of proper legal thought and practice as it pertains to real harm.
Precedent is everything, the members of the class who drag down expectations for the rest of us are actively committing harm by denying a resolution to our collective claims. Solidarity is the sole responsibility of a class of people.
> I will eat crow if it comes to light that this was entirely unavoidable on 23andme's part. (me)
> You won’t have to. They could have forced MFA and been done with it. That doesn’t make it their fault that they didn’t. It just means they could have done better and assumed that at least some users (read: most) are ignorant about best practices with sensitive data. It’s not something they would be legally culpable for, though.
This class action and the £2.3M extracted by a UK regulator sure feels like legal culpability. There must be consequences, otherwise nothing will change. I accept some action vs no action, when perfect is out of reach. We are building systems, requiring constant tuning and improvement.
Closing the loop on this provides an immutable case study on this topic.
(i manage and am responsible for systems that protect enterprise and customer data for millions of customers at a fintech, I take this work seriously, because someone should; if you want better behavior, we need better legal tools to go after corporations for these failures, intentional or not)
Everyone who served on the board or worked for the company should be held liable, personally and in a piercing of the corporate veil.
Individuals had responsibility when they made these decisions. It is on the courts to make the victims whole, despite the shenanigans around corporate liability limits.
EDIT: I legitimately think that if we _don't_ hold individuals accountable for these sorts of data breaches of the most sensitive data imaginable then there is no sense to legal systems.
EDIT2: Assuming Gemini has any semblance of accurate information, here are some individuals to consider beginning with:
- Anne Wojcicki (Co-Founder, Chair of the Board)
Estimated Net Worth: $150 Million - $270 Million (Note: Her net worth peaked significantly higher when 23andMe's valuation was high, but has been adjusted downward following the company's financial struggles and bankruptcy filing).
Other Known Affiliations: Co-founder and board member of the Breakthrough Prize Foundation. Former wife of Google co-founder Sergey Brin.
- Andre Fernandez (Independent Director)
Estimated Net Worth: At least $1 Million (based on reported stock holdings as of late 2025).
Other Known Affiliations: Former CFO of WeWork Inc. and NCR Voyix Corp. Serves on the board of Cardlytics.
- Jim Frankola (Independent Director)
Estimated Net Worth: At least $18 Million (based on reported stock holdings in late 2025).
Other Known Affiliations: Former CFO of Cloudera Inc. and Ariba. Serves as a Director and Audit Committee Chair for Ansys, Inc.
- Mark Jensen (Independent Director, Lead Independent Director)
Estimated Net Worth: At least $12.7 Million - $19.1 Million (Note: Public records show different individuals with similar names and varying net worths; this estimate is based on the director with experience as CFO of RedLeaf, Lattice Semiconductor, and ForeScout, who served as a Director for Lattice Semiconductor Corp and holds a significant position at American Resources Corp).
Other Known Affiliations: Previous Audit Committee Chair for companies like Lattice Semiconductor and ForeScout.
- Neal Mohan (Past Independent Director)
Estimated Net Worth: Not widely disclosed, but as CEO of a major tech platform, his compensation is substantial.
Other Known Affiliations: Chief Executive Officer (CEO) of YouTube.
- Roelof Botha (Past Independent Director)
Estimated Net Worth: $1.5 Billion - $2 Billion (primarily due to his role as a successful venture capitalist).
Other Known Affiliations: Partner at venture capital firm Sequoia Capital.
- Patrick Chung (Past Independent Director)
Estimated Net Worth: Not widely disclosed; compensation for his director role was reported in 2024.
Other Known Affiliations: Co-founder and Managing Partner at Xfund.
- Peter J. Taylor (Past Independent Director)
Estimated Net Worth: Not widely disclosed; compensation for his director role was reported in 2024.
Other Known Affiliations: President of Greatland Investment Group; former CFO and Executive Vice President of PG&E Corporation.
- Richard Scheller, Ph. D. (Past Independent Director)
Estimated Net Worth: Not widely disclosed; compensation for his director role was reported in 2024.
Other Known Affiliations: Former Chief Science Officer and Head of Research and Early Development at Genentech.
Estimated Net Worth: Not widely disclosed; compensation for her director role was reported in 2024.
Other Known Affiliations: CEO of the California Health Care Foundation.
Estimated Net Worth: Not widely disclosed; compensation for her director role was reported in 2024.
Other Known Affiliations: President and CEO of the Morehouse School of Medicine.
William Roper: “So, now you give the Devil the benefit of law!”
Sir Thomas More: “Yes! What would you do? Cut a great road through the law to get after the Devil?”
William Roper: “Yes, I'd cut down every law in England to do that!”
Sir Thomas More: “Oh? And when the last law was down, and the Devil turned 'round on you, where would you hide, Roper, the laws all being flat? This country is planted thick with laws, from coast to coast, Man's laws, not God's! And if you cut them down, and you're just the man to do it, do you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake!”
― Robert Bolt, A Man for All Seasons: A Play in Two Acts
This is true of all class actions. But it’s not helpful that the only recourse for victims is to lose enormous amounts of money and time to get justice. This is a loophole that must be fixed.
If you type something into the computer you should assume everyone in the world will eventually be able to see it.
If you send your DNA to a company in the mail you should assume everyone in the world will eventually be able to see it.
So, what about healthcare? Back to paper records? Because it's not acceptable to me that everyone in the world will eventually see my private medical records.
It's probably too late for that to be honest.
You should also assume your MegaCorp, if you work for one, has also already seen them (in many cases they can buy them from various data brokers or even off the grey market).
I'm not saying this is the way things should be, just things as I know them to be.
What remedial steps would you support, out of interest?
For example, if someone could have their current life become, essentially "redacted", and receive an entirely new one with fairly low barrier of entry, would that be something you would support?
I do agree that once it's out, it's out and you can't really "go back" or have any expectation that what you put out there will somehow magically be "safe", but I think there ought to be a means to hard reset; a burn everything to the ground, and start from square one option.
To head off the inevitable questions of some variation of, "...but what about abuse?" from the croud, I would generally ask:
Abuse to whom? The person who's entire existence is irrevocably captured, documented, data mined, and optimized for malicous intent? Or the random mouth breath8ng schlub who abuses the opportunity to do something nefarious before getting caught and going to prison?
It's not clear to me that I should care if my data was in the breach. For my data to have been in the breach the following must have happened.
1. I opted in to sharing my information with everyone that 23andMe identified as relatives. "Relatives" in this context means genetic 4th cousins or closer. For me that turned out to be 1500 people, all of whom are as far as I know complete strangers to me (I'm adopted).
2. One or more of those 1500 people used the same password on 23andMe that they used on some other site that suffered a breach that gave up plaintext passwords.
3. That password was included in a credential stuffing attack that let someone get into their 23andMe account, where that intruder downloaded the account owner's relatives list which included my information.
When I chose to share my data with 1500 strangers I was pretty much conceding that I didn't really care who got it.
Yeah, I agree this is pretty overblown. On GEDmatch, you basically give everyone the information in your SNP reads - you can compare arbitrary people there, not just yourself to "close" relatives. The only condition is that you give others the same access as you want for yourself. It's very useful for genetic genealogy.
Technically, you could probably get access to and scrape all that data by uploading fake data, or someone else's. It will do very little useful unless you're into genealogy.
Well of course someone dismissing this would be the top comment here
I've had 23andme since ~2012. Haven't received a single email from/about 23andmedatasettlement.com
It would have been from 23andmebankruptcynoticing@noticing.ra.kroll.com
Ah, certainly not a spam email.
Indeed, y0u may be entit1ed to compensation.
Related:
DNA testing firm 23andMe fined £2.3m by UK regulator for 2023 data hack - https://news.ycombinator.com/item?id=44300220 - June 2025 (1 comment)
23andMe tells victims it's their fault that their data was breached - https://news.ycombinator.com/item?id=38856412 - January 2024 (368 comments)
Can I file a claim if I'm related to folks who shared their (and by extension, my) DNA with this company?
This will basically be everyone in the world. Could be the largest class action ever?
Oprah spruiked 23andMe.
Can people sue Oprah?
Since when is spruiking a liability?
Spruik
Promote or publicise.
A new word to me, and not one I’ll use.
It seems like a word that's read and not spoken.
You can be held liable if fraud was committed and you were aware of it.
I may actually try my hand in conciliation court against them on this one. I received a test kits back around 2015 from a family member, but was disgusted at the idea that there was no possible way they 1) wouldn't go under and sell my data 2) be breached. I feel like these sort of outcomes for these types of services are very obvious as highly likely to anyone who works in proximity to tech, and especially startups.
Anyway, I never submitted the test. But I know for a fact that family has. It's really annoying to that others can make these sort of linked decisions for you - especially as we are now acutely aware that this type of data can, will and I'm sure is being used in ways that basically nobody would consent to.
What if you're Canadian?
I want to know this too.
2 measly SQL injections and down goes 23andMe.
There was no SQL injection. The attack was basically the same as if someone stole the password to a friend's Facebook account, and proceeded to scrape the posts everyone else had made visible to that friend.
Some would say SNP data is more valuable than your posting history. I'm not so sure, since after all 23andMe went bankrupt trying to monetize their data and reddit didn't. It seems possible to me that a post where you say you do X is more useful to advertisers and political propagandists/spies, than a SNP which suggests you're 20% more likely to do X.
I am reading more on the vector of attack used on 23andme and it seems they used credentials from other data breaches. This never would have happend with MFA, even SMS confirmation would've been enough.
It's insane that a company that literally stores DNA data didn't have the most basic defenses against data breaches that would take an intern 15 minutes to read about.
Give each victim 100 shares of company stock. You lose your company to the people that you hurt. Seems fair.
That's just bankruptcy with extra steps. You're giving an asset which has no value immediately after the action.
*lose
Thank you ;)
> Up to $10,000 for Extraordinary Claims; > Up to $165 for Health Information Claims; > An estimated $100 for Statutory Cash Claims; and > 5 years of Privacy & Medical Shield + Genetic Monitoring
None of these make the victims whole. The typical customer would rather pay $1000 to not have their private medical records stolen. Giving them just $165 or a few years of monitoring is insulting. What does that monitoring even achieve?
There is no way to make victims whole for this negligence; what is on offer is arguably the best that can done for a failure to properly implement customer identity and access management systems and processes for personal genomic user data.
(disclosure: I am a member of the class, as is most of my family, no other affiliation)
This kind of fatalism is the antithesis of proper legal thought and practice as it pertains to real harm.
Precedent is everything, the members of the class who drag down expectations for the rest of us are actively committing harm by denying a resolution to our collective claims. Solidarity is the sole responsibility of a class of people.
I will allow my past comments to speak for themselves a bit.
https://news.ycombinator.com/item?id=38857170
https://news.ycombinator.com/item?id=38857228
https://news.ycombinator.com/item?id=38857476
> I will eat crow if it comes to light that this was entirely unavoidable on 23andme's part. (me)
> You won’t have to. They could have forced MFA and been done with it. That doesn’t make it their fault that they didn’t. It just means they could have done better and assumed that at least some users (read: most) are ignorant about best practices with sensitive data. It’s not something they would be legally culpable for, though.
This class action and the £2.3M extracted by a UK regulator sure feels like legal culpability. There must be consequences, otherwise nothing will change. I accept some action vs no action, when perfect is out of reach. We are building systems, requiring constant tuning and improvement.
Closing the loop on this provides an immutable case study on this topic.
(i manage and am responsible for systems that protect enterprise and customer data for millions of customers at a fintech, I take this work seriously, because someone should; if you want better behavior, we need better legal tools to go after corporations for these failures, intentional or not)
That might matter if 23andMe still had deep pockets, rather than being a bankrupt shell.
Everyone who served on the board or worked for the company should be held liable, personally and in a piercing of the corporate veil.
Individuals had responsibility when they made these decisions. It is on the courts to make the victims whole, despite the shenanigans around corporate liability limits.
EDIT: I legitimately think that if we _don't_ hold individuals accountable for these sorts of data breaches of the most sensitive data imaginable then there is no sense to legal systems.
EDIT2: Assuming Gemini has any semblance of accurate information, here are some individuals to consider beginning with:
- Anne Wojcicki (Co-Founder, Chair of the Board)
- Andre Fernandez (Independent Director) - Jim Frankola (Independent Director) - Mark Jensen (Independent Director, Lead Independent Director) - Neal Mohan (Past Independent Director) - Roelof Botha (Past Independent Director) - Patrick Chung (Past Independent Director) - Peter J. Taylor (Past Independent Director) - Richard Scheller, Ph. D. (Past Independent Director) - Sandra Hernández, M.D. (Past Independent Director) - Valerie Montgomery Rice, M.D. (Past Independent Director)You are free to opt out of the settlement and pursue your own claim.
This is true of all class actions. But it’s not helpful that the only recourse for victims is to lose enormous amounts of money and time to get justice. This is a loophole that must be fixed.