This article has been edited to include a statement from 23andMe.
NEW YORK – 23andMe has reached an agreement in principle to settle a class action lawsuit against the firm related to a breach of customer data last year.
"We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all U.S. claims regarding the 2023 credential stuffing security incident," a 23andMe spokesperson said in a statement, adding that counsel for the plaintiffs have filed a motion for preliminary approval of the settlement agreement with the court.
Roughly $25 million of the settlement and related legal expenses are expected to be covered by cyber insurance coverage.
"We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement," the spokesperson said.
First reported by Law.com, the settlement was disclosed in a Tuesday hearing in the US District Court for the Northern District of California. Financial and other details were not disclosed.
Late last year, 23andMe disclosed the data breach, which took place in October 2023. It affected 6.9 million users, with a threat actor gaining access to 5.5 million DNA Relatives profile files and Family Tree profile information.
In Wednesday trading on the Nasdaq, shares of 23andMe were up 2 percent at $.52.
In an annual report filed Tuesday with the US Securities and Exchange Commission, the firm said that it incurred $4.6 million in expenses related to the cybersecurity incident, offset by $2.8 million in insurance recoveries, during the fiscal year ended March 31.