After a data breach affected about half of its customers, family-owned 23andMe agreed to a $30 million settlement — and users may be eligible to receive payment in the future.

23andMe is a DNA testing company that provides users with ancestry, genetics, and health information. Users can also connect with potential family members through DNA matches on the site after receiving their test results.

The data of 6.9 million users was compromised in the attack and the stolen data was sold, including a dataset of people of Chinese and Ashkenazi Jewish descent that appeared to have been specifically targeted . reported the HIPAA Journal.

“Under the terms of the settlement, individuals whose data was compromised are entitled to receive a share of the settlement fund after deducting court costs and attorney’s fees,” the Journal said.

A class action lawsuit was filed against 23andMe in January after the 2023 data breach, accusing the company of failing to adequately protect user data, failing to notify affected parties in a timely manner and other complaints , USA Today reported.

“We believe that bad actors were able to access some accounts in cases where users recycled their login credentials, i.e. usernames and passwords used on 23andMe.com were the same as those used on other previously hacked websites,” 23andMe wrote. on its website at the time, USA Today said.

The data breach involved unauthorized access to user accounts via credential stuffing, rather than a cyberattack on the 23andMe platform, according to the HIPAA Journal.

According to USA Today, about 5.5 million of the 6.9 million affected were users who opted into 23andMe’s “Related” feature, which connects people to those with similar DNA, and an additional 1.4 million gained access. information from their family tree.

The data accessed contained personal and family information, USA Today said, including:

• Display name
• How long ago they logged into their account
• Their relationship labels
• Their Predicted Relationship and Percentage of DNA Shared with Their Parents DNA Matches
• Their ancestry reports and their matching DNA segments, specifically where on their chromosomes they and their relatives had matching DNA
• Self-reported location (city/zip code)
• Birthplaces of ancestors and family names
• Profile photo, year of birth

The company admitted to no wrongdoing in connection with the deal to pay $30 million to the parties involved.

“We have signed a settlement agreement for a global cash payment of $30 million to settle all U.S. claims relating to the 2023 credential stuffing security incident,” 23andMe told USA Today in a statement.

Under the proposed settlement, which still requires prior court approval, the company will provide up to $10,000 to eligible customers, as well as various security services, CNET reported.

Under the terms of the settlement, the HIPAA Journal said class members can submit claims for the following:

• An extraordinary claim of up to $10,000 to recover unreimbursed costs and expenses related to the security incident. Costs may include losses due to identity theft, falsified tax returns, physical security costs or a surveillance system purchased in response to the security incident, as well as unreimbursed costs associated with counseling or professional mental health treatment following the security incident. A cap of $5 million has been set for these claims.
• If you reside in Alaska, California, Illinois, or Oregon at the time of the breach, submit a $100 legal cash claim in accordance with the genetic privacy laws of those states.
• If health information was compromised, submit a claim for a $100 cash payment.
• All course members can enroll in the Privacy & Medical Shield + Genetic Monitoring program, which includes a password manager, medical records monitoring, and anti-phishing protection.

There is no way to seek payment at this time under the proposed settlement, CNET said.