Attorney General Ken Paxton has reached a settlement of bankruptcy claims with genetic testing company 23andMe over a 2023 data breach that compromised the genetic data of customers.
In 2025, 23andMe, a California-based DNA testing company, filed for bankruptcy following a multi-state investigation over a data breach that occurred in 2023. The breach exposed data, which in some instances included genetic ancestry information, of 6.9 million of its customers.
Portions of this personal data were later listed for sale on the dark web. The company did not learn about the breach until months after the personal information became publicly available.
According to Paxton’s office, the company denied that a breach had ever occurred but, after confirming one had, 23andMe blamed customers, faulting how “their accounts were configured and how passwords were used.”
In the aftermath of the breach, Paxton joined multiple other states to investigate the company, finding that it “engaged in unreasonable data security practices and failed to implement adequate safeguards against hacking.”
“The 23andMe data breach was a serious failure to protect consumers’ privacy that exposed the genetic information of millions of people,” said Paxton. “Companies that collect and profit from Texans’ most personal information have a legal duty to protect it.”
“This settlement sends a clear message that companies cannot cut corners on data security. It helps ensure stronger protections for consumers’ genetic information moving forward.”
After filing for Chapter 11 bankruptcy earlier this year, 23andMe sought to include in the sale of its holdings the genetic, health, and other personal information of its customers, including Texans.
Paxton joined 26 other states and the District of Columbia in a lawsuit arguing that the company had “‘no right to sell their customers’ genetic identities to the highest bidder’ unless the company ‘first obtain[s] express informed consent to the proposed transaction/transfer by each consumer impacted.’”
The settlement reached by Paxton “incorporates many of the privacy and cybersecurity protections that likely would have been required through a traditional enforcement action,” which includes enhanced data security standards, comprehensive risk assessments, the creation of an independent advisory board, and the enforcement of compliance with state data privacy laws.
These protections are intended to help ensure that TTAM Research Institute, which purchased 23andMe, will “serve as a better steward of customer data.”
Texas will receive more than $1.2 million from 23andMe as part of the settlement. The company has also agreed to a class action settlement of more than $46 million for relief to consumers who submitted claims by February 17, 2026.