Affected users can try to claim up to $10,000 if the breach at 23andMe led to financial fraud or paying up for security or mental health services.
23andMe has agreed to pay $30 million to settle lawsuits over a company data breach that ensnared 6.4 million users last year.
On Friday, the DNA testing company filed a court document, supporting the settlement, according to Reuters, which was first to report the news.
The company called the settlement "fair, adequate, and reasonable" and told PCMag it's intended to settle all US claims concerning last year's breach, which exposed customer data on 23andMe to a hacker. The attacker pulled this off by first breaching 14,000 accounts, and then exploiting the service's optional "DNA relatives" feature to access the profiles of millions of other users.
The breach became evident after the hacker tried to sell the stolen DNA-related information in a forum at $100,000 per 100,000 user profiles. The incident prompted some victims to hire lawyers and file class action lawsuits, alleging that 23andMe had failed to protect their data.
But it doesn't look like the $30 million settlement will result in a payment to all affected victims, according to court documents. The settlement, which needs final court approval, proposes offering up to $10,000 from the fund for users who file an "extraordinary claim," meaning they can demonstrate the breach caused them to suffer financial fraud. Victims can also file an extraordinary claim if the breach led to "unreimbursed costs" from purchasing physical security monitoring systems or paying up for mental health counseling.
A total cap on the extraordinary claims has been set at $5 million. Meanwhile, at least 25% of the $30 million will go toward paying attorney fees.
Other users are only entitled to a $100 payment. This includes 23andMe customers based in Alaska, California, Illinois or Oregon, which have "genetic privacy laws with statutory damages provisions." Another, smaller group of users, who had their health information exposed in the breach can also receive a $100 payment.
Outside of the settlement funds, 23andMe has also agreed to pay for identity monitoring services for three years to all affected users. The so-called "Privacy & Medical Shield + Genetic Monitoring" is a customized program that'll offer a wide variety of cybersecurity products, including a password manager, anti-phishing protection and medical record monitoring, according to a court document.
The settlement also requires 23andMe to bolster the company's security, including mandating multi-factor authentication and conducting more cybersecurity audits. In a statement, 23andMe noted that it expects to pay $25 million for the settlement through the company's cyber insurance. "We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement," the company added.
However, some users could decline the settlement to pursue their own legal action against the DNA testing provider. In a court document, 23andMe noted that it "faces parallel litigation in state court and private arbitration forums on behalf of tens of thousands of Settlement Class Members." If the settlement receives final approval, then the court will appoint a company to notify all affected users through email and postal mail.