On the morning of Sept. 25, Elvira Olguín called into a St. Louis court hearing in the 23andMe bankruptcy from Málaga, Spain, sitting beside her son, who guided her through the proceedings.
The 96-year-old bought a 23andMe kit in April 2019 for research in a legal biological recognition process. After receiving a notice in October 2023 that a data breach had exposed the personal information of nearly 7 million users, she became frightened, causing her blood pressure to spike. Days later, she suffered a vascular episode that led to vision loss in one eye, according to her health records.
“Such news can be especially harmful to those in fragile health and may even cause permanent damage, as happened to me,” Olguín said. “I felt very exposed.”
23andMe, now Chrome Holding Co., filed for bankruptcy in March, nearly two years after the breach. It recently received preliminary approval to settle class actions in the US and Canada, covering the bulk of 250,000 claims tied mainly to the incident, valued at over $51 trillion.
The company is disputing potential fraudulent claims and is pursuing a “streamlined” process requiring customers to verify their identities.
Olguín isn’t part of either class. Her $1,500 claim may be her only avenue for recovery, though individual claimants typically fall lower in repayment priority. She appeared in court fearing she would “lose her rights.”
23andMe brought unique privacy issues to bankruptcy. Unlike mass tort bankruptcies—such as Georgia-Pacific unit Bestwall, which faces asbestos claims, or Purdue Pharma opioid lawsuits—the harm mainly involves identity theft or nation-state misuse.
This article was originally published by Bloomberg Law.
Photographer: Tiffany Hagler-Geard/Bloomberg
Angélica Serrano Román 