Aetna Life Insurance L-ADR Surgery Denial Settlement
Patients whom Aetna denied coverage for single-level lumbar artificial disc replacement (L-ADR) may be eligible to claim a payment from a $2.56M class action settlement
$25,000
estimated
May 28, 2026 Contact: (916) 210-6000, agpressoffice@doj.ca.gov OAKLAND — California Attorney General Rob Bonta today filed a lawsuit against Chrome Holding Co., formerly known as 23andMe, for failing to protect its customers’ sensitive personal information and genetic data related to their health, genetic predispositions and risk factors, biological relatives, ancestry, and ethnicity. In 2023, 23andMe experienced a data breach that affected nearly 7 million users across the United States, including 855,541 Californians. While 23andMe publicly touted its commitment to data privacy and transparency, in truth, it failed to take reasonable measures to protect its customers’ most sensitive data, ignored known vulnerabilities in its systems, and failed to properly investigate or respond to numerous warnings that its systems had been compromised. The company also misled its customers and the public regarding crucial aspects of the 2023 data breach. In the complaint, filed today in San Francisco Superior Court, Attorney General Bonta alleges 23andMe’s failures to implement and maintain reasonable security procedures and its misleading statements regarding its security and the data breach were unlawful. “23andMe collected genetic data about millions of people, failed to meet its obligation under California law to keep that information safe, and then lied to consumers about the severity of its 2023 data breach. Our investigation found that the company failed to take basic steps to protect users’ data — data including the sensitive personal information, family histories, and health conditions of consumers,” said Attorney General Bonta. “The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence — and explicitly called attention to the deeply personal and identifying nature of that information. This is disturbing and incredibly dangerous. Today, my office is suing 23andMe for its categorical failure to comply with California law.” BACKGROUND Founded in San Francisco, 23andMe was the first and one of the largest direct-to-consumer genetic testing companies in the world. Customers sent their saliva samples to 23andMe for DNA analysis. The company stored data on consumers’ raw DNA sequence and used that information to provide consumers with reports about their ancestry, ethnicity, and genetic health predispositions. On October 6, 2023, 23andMe confirmed that it had suffered a major data breach. Indeed, for five months, a threat actor had breached 23andMe’s systems undetected by accessing about 14,000 customers’ 23andMe accounts. The threat actor leveraged that access, as well as other vulnerabilities within 23andMe’s systems, to obtain the data of nearly 7 million 23andMe customers. The threat actor used a well-known type of cyberattack called “credential stuffing” that businesses, particularly those that collect and maintain sensitive personal and genetic data, can and should know to guard against. Credential stuffing exploits consumers’ tendency to use weak or common passwords or to reuse log-in credentials by using the same username and password that they use with one company to log into accounts with another company. Here, the threat actor used account credentials stolen in prior data breaches — including the highly publicized breach of MyHeritage, a separate genealogy site that had partnered with 23andMe. Although 23andMe’s data security team was aware of the MyHeritage breach, and 23andMe had encouraged its users to create an account with MyHeritage, 23andMe never checked for or prevented credential reuse, even after the MyHeritage data breach. Once in 23andMe’s systems, the threat actor used a vulnerability involving a critical coding error in “DNA Relatives” — a feature that allowed DNA-related customers to share information and contact each other — to steal additional identifying information, ancestry reports, and reports indicating the percentage of DNA shared with potential relatives about nearly 7 million consumers. News of 23andMe’s breach came to light after the data of one million consumers were offered for sale on the dark web, specifically touting that the data belonged to Asian American and Pacific Islanders (AAPI) and Jewish users. Disturbingly, this occurred during a period of increasing anti-AAPI and antisemitic hate and violence. Even more disturbing, 23andMe’s post-breach statements to consumers were misleading and omitted or misrepresented critical information regarding the breach. While 23andMe assured the public that it had not experienced a data security incident within its systems, downplayed the sensitivity of the stolen data by claiming that the information stolen from the “DNA Relatives” feature was essentially public, and attempted to shift blame for the breach to its customers, 23andMe was simultaneously negotiating and paying a ransom to the threat actor in exchange for, among other thing
Settlement payout
Amount varies
Final amount depends on how many valid claims are filed
Step-by-step instructions for this one aren't available yet. Start the claim and we'll take you to the official source to file it.
Start claimPay it forward
Most people never find out they're owed money. Sharing takes 10 seconds and could put real money in a friend's pocket.
Patients whom Aetna denied coverage for single-level lumbar artificial disc replacement (L-ADR) may be eligible to claim a payment from a $2.56M class action settlement
$25,000
estimated
Capital One customers and applicants whose information was exposed in the 2019 data breach can file claims for general damages, time spent dealing with the breach, and documented financial losses. No proof of loss required for basic claims, but documented losses can receive significantly higher payouts
$25,000
estimated
Did your child use Google Play apps before age 13, any time since April 2015? Google settled claims it collected children's personal data through its AdMob ad network for $8.25 million. No receipts or records needed, a parent fills out and signs the claim. Deadline: September 14, 2026
$25,000
estimated
You may be included in this settlement if you had a pre-service authorization request or post-service claim for single-level lumbar artificial disc replacement denied by Aetna Life Insurance Company
$25,000
estimated