Privacy and consumer protection enforcement actions tracked from official New Jersey Attorney General sources.
Official enforcement page58
Total Actions
$813.4M
Total Fines
A former employee of the New Jersey Department of Children and Families was indicted for allegedly leaking confidential child protection case information in exchange for bribes. The defendant, Susaida Nazario, misused her access to provide case details to an unauthorized individual, compromising sensitive children's data.
New Jersey Attorney General Matthew Platkin announced that New Jersey is joining a coalition of 22 states in suing Uber for deceptive practices related to its Uber One subscription service. The lawsuit alleges that Uber enrolled consumers without their knowledge and made cancellation extremely difficult, seeking restitution, penalties, and an injunction under New Jersey's Consumer Fraud Act and the Restore Online Shoppers' Confidence Act.
New Jersey Attorney General Matthew Platkin is leading a bipartisan coalition of 42 attorneys general in sending a letter to 13 tech companies, demanding that they implement safeguards for their AI chatbots to prevent harmful interactions such as sexually explicit conversations with children, encouraging self-harm, and spurring violence, following reports of serious incidents including deaths and self-harm.
The New Jersey Division of Consumer Affairs sent warning letters to over 3,000 auto dealerships reminding them of the state's data deletion law, which requires dealerships to offer to delete personal data from vehicles when accepting them for resale or lease. Failure to comply can result in fines of $500 for first offenses and $1,000 for subsequent offenses, aimed at preventing unauthorized access to sensitive consumer information stored in vehicle infotainment systems.
New Jersey Attorney General Matthew J. Platkin joined a coalition of 20 attorneys general in filing a lawsuit against the U.S. Department of Agriculture (USDA) for demanding that states turn over sensitive personal information of SNAP recipients, including Social Security numbers and addresses. The lawsuit argues that this demand violates federal privacy laws and the Constitution, as the data is protected and should only be used for program administration. The coalition seeks to block USDA from conditioning SNAP funding on compliance with this demand.
The New Jersey Attorney General filed a lawsuit against Discord, Inc. for deceptive business practices under the Consumer Fraud Act. Discord misrepresented its Safe Direct Messaging and age verification features, failing to protect children from
New Jersey Attorney General Matthew J. Platkin joined a coalition of 19 attorneys general in filing a lawsuit against the Trump administration for illegally granting Elon Musk and DOGE unauthorized access to the U.S. Treasury Department's central payment system, which contains sensitive personal information such as Social Security numbers and bank details. The lawsuit seeks an injunction to halt this policy and a declaration that it is unlawful and unconstitutional.
A multistate coalition of 50 attorneys general, including New Jersey, reached a $52 million settlement with Marriott International, Inc. for two data breaches that exposed personal information of over 131 million consumers. The breaches resulted from inadequate cybersecurity practices at Starwood and Marriott networks. The settlement mandates comprehensive security improvements and monetary penalties.
$52.0M
Enzo Biochem, Inc. agreed to pay $4.5 million and strengthen its cybersecurity practices to settle allegations that deficient data security led to a ransomware attack exposing the health data of 2.4 million patients. The multistate enforcement action was led by New Jersey with New York and Connecticut.
$4.5M
Bumble Inc. agreed to pay $315,000 and update its disclosures to settle allegations that it misrepresented its criminal background screening policies to New Jersey users, violating the New Jersey Consumer Fraud Act and Internet Dating Safety Act. The settlement requires Bumble to clearly disclose its screening practices and safety limitations on its dating platforms.
$315K
New Jersey Attorney General Matthew Platkin announced a multistate settlement where Morgan Stanley will pay $1.27 million to NJ over data security incidents that compromised personal information of over 755,000 NJ residents and millions nationwide. The incidents involved improper decommissioning of devices and a software flaw, leading to unauthorized access. The settlement requires Morgan Stanley to strengthen its data security and disposal procedures.
$1.3M
New Jersey, leading a coalition of 41 other attorneys general, sued Meta for knowingly designing addictive Instagram and Facebook features targeting children and teens while falsely claiming the platforms were safe. The lawsuit alleges Meta collected personal data from users under 13 without parental consent, violating the federal Children's Online Privacy Protection Act (COPPA) and state consumer protection laws like the New Jersey Consumer Fraud Act.
Blackbaud, a software company, experienced a ransomware attack in 2020 that exposed sensitive personal information, including protected health data, due to inadequate security practices and delayed breach notification. A multistate investigation resulted in a $49.5 million settlement, requiring Blackbaud to enhance data security, implement breach response plans, and undergo third-party assessments.
$49.5M
New Jersey Attorney General Matthew Platkin joined a multistate lawsuit against Avid Telecom for allegedly initiating and facilitating billions of illegal robocalls, including to numbers on the National Do Not Call Registry, in violation of the Telephone Consumer Protection Act and Telemarketing Sales Rule. The company is accused of transmitting scam calls and ignoring warnings from the Industry Traceback Group.
EyeMed Vision Care agreed to a $2.5 million multistate settlement over a data breach that exposed personal and medical information of approximately 2.1 million individuals. The breach resulted from security deficiencies, including password sharing, violating HIPAA and state privacy laws. The settlement mandates enhanced security measures and compliance with privacy regulations.
$2.5M
The New Jersey Bureau of Securities issued a Cease and Desist Order against Horatiu Charlie Caragaceanu and his organizations for promoting TruthGPT Coin, a cryptocurrency scam that falsely claimed AI capabilities and endorsements from figures like Elon Musk. The respondents misrepresented the AI model's ability to predict cryptocurrency prices and manipulated images to show false endorsements, targeting investors with unrealistic profit promises.
Google settled with 40 state attorneys general over allegations that it misled consumers about location tracking practices. Google will pay $391.5 million and must enhance transparency and user controls for location data collection.
$391.5M
New Jersey Attorney General Matthew J. Platkin announced a multistate settlement with Experian and T-Mobile over a 2015 data breach that compromised personal information of over 15 million consumers. The companies will pay over $16 million to states and agree to improve data security and vendor management practices. New Jersey will receive approximately $500,000 from the settlement.
$16.0M
Wawa Inc. agreed to pay $8 million to resolve a multistate investigation into a data breach that compromised approximately 34 million payment cards between April 2019 and December 2019. The breach involved malware that harvested card data from point-of-sale terminals. New Jersey will receive $2.5 million, and Wawa must implement enhanced cybersecurity measures including a comprehensive security program and third-party audits.
$8.0M
The New Jersey Board of Pharmacy temporarily suspended the license of Christina Bekhit, owner of AllCare Pharmacy, after her arrest for selling falsified COVID-19 vaccination cards and entering false information into the state's immunization database. Under a consent order filed on July 5, 2022, Bekhit agreed to cease pharmacy operations and surrender her permit, addressing grave public health risks from fraudulent vaccination records.
The New Jersey Attorney General announced the arrest of Christina Bekhit, a pharmacist operating AllCare Pharmacy, for selling fake COVID-19 vaccination record cards and entering false information into the state's immunization database. She faces criminal charges for computer criminal activity, tampering with public information, and falsification of medical records.
New Jersey, as part of a multistate coalition, settled with Carnival Cruise Line over a 2019 data breach that compromised personal information of approximately 180,000 employees and customers nationwide. The breach resulted from deficiencies in Carnival's data security program and delayed breach notification. Carnival will pay $1.25 million and implement enhanced email security and breach response measures.
$1.3M
New Jersey is co-leading a multistate investigation into TikTok to determine if the platform violates consumer protection laws by using techniques that increase engagement among young users, potentially causing mental and physical harm. The investigation will examine what TikTok knows about these harms to children, teenagers, and young adults.
New Jersey is co-leading a nationwide investigation into whether Instagram and its parent company Meta Platforms, Inc. are violating state consumer protection laws by employing techniques that induce children, teenagers, and young adults to use the platform in potentially harmful ways. The bipartisan coalition of attorneys general is examining the potential mental and physical health harms resulting from extended engagement, including depression, anxiety, and body image issues.
Command Marketing Innovations, LLC and Strategic Content Imaging, LLC settled allegations that they violated the New Jersey Consumer Fraud Act and HIPAA by failing to safeguard protected health information, exposing the data of 55,715 New Jersey residents. The companies agreed to pay $130,000 in penalties and implement comprehensive security measures, including appointing security officers and providing employee training.
$130K
The New Jersey Attorney General settled with Diamond Institute for Infertility and Menopause, LLC, following a data breach that exposed the electronic protected health information (ePHI) of 14,663 patients. The investigation found the clinic failed to implement required HIPAA Security Rule safeguards, including risk assessments, encryption, and access controls. The $495,000 settlement includes civil penalties and requires the clinic to implement a comprehensive information security program and corrective actions.
$495K
A caseworker with the New Jersey Division of Child Protection and Permanency was charged with criminal offenses for allegedly accessing and disclosing confidential DCF database records without authorization. The charges include Computer Theft and Unlawful Access and Disclosure. The investigation was conducted by the New Jersey State Police.
AMCA suffered an eight-month data breach from August 2018 to March 2019, exposing personal information including Social Security numbers, payment card data, and medical test details of over 7 million individuals nationwide, including 246,000 New Jersey residents. The multistate settlement requires AMCA to implement enhanced data security measures and pay $21 million, though payment is suspended due to the company's financial situation.
$21.0M
New Jersey participated in a multi-state settlement resolving an investigation into a 2017 data breach at Sabre Hospitality Solutions. Intruders accessed the company's hotel booking system from August 2016 to March 2017, compromising data from over 1.3 million consumer credit cards, including CVV numbers and expiration dates. Sabre failed to promptly notify affected consumers. The $2.4 million settlement requires Sabre to implement enhanced data security measures, develop a breach notification plan, clarify contractual responsibilities with client hotels, and undergo third-party security assessments.
$2.4M
New Jersey joined a multistate $2 million settlement with online retailer CafePress over a 2019 data breach that exposed personal information of approximately 22 million consumers nationwide, including over 540,000 in New Jersey. The settlement requires CafePress to implement a comprehensive cybersecurity program, incident response plan, and third-party assessments for five years, with payment suspended pending compliance.
$2.0M
Home Depot settled for $17.5 million over a 2014 data breach that compromised personal information of over 40 million consumers due to inadequate security at self-checkout kiosks. The settlement requires extensive cybersecurity reforms including an information security program, employee training, and encryption. New Jersey receives $579,623 from the multi-state settlement.
$17.5M
Wakefern Food Corp. and associated ShopRite entities settled allegations that they improperly disposed of electronic devices containing protected health information, potentially exposing the data of over 9,700 New Jersey residents. They agreed to pay $235,000 and implement comprehensive data security measures including appointing privacy officers and providing training.
$235K
New Jersey Attorney General settled with Community Health Systems, Inc. over a 2014 data breach affecting 6.1 million patients, including over 45,000 New Jersey residents. CHS will pay $5 million to 28 states and implement enhanced data security measures to protect personal and health information.
$5.0M
New Jersey Attorney General announced a multi-state settlement with Anthem, Inc. over a 2015 data breach that exposed personal information of over 78 million Americans, including 1.15 million New Jersey residents. Anthem will pay $39.5 million to participating states and implement enhanced cybersecurity measures.
$39.5M
Neiman Marcus settled a multi-state investigation over a 2013 data breach that compromised payment card data of approximately 370,000 consumers nationwide, including 17,000 in New Jersey. The company agreed to pay $1.5 million and implement enhanced cybersecurity measures such as PCI compliance, network monitoring, and regular security assessments.
$1.5M
EmblemHealth, Inc. settled with the New Jersey Attorney General over a 2016 data breach where Medicare Health Insurance Claim Numbers (containing Social Security numbers) were improperly disclosed on mailing labels to over 81,000 customers, including 6,443 in New Jersey. The company agreed to pay a $100,000 civil penalty and implement compliance reforms including ceasing use of HICNs with SSNs, enhancing employee training, and notifying the state of future breaches.
$100K
ATA Consulting LLC, operating as Best Medical Transcription, settled for $200,000 over a 2016 server misconfiguration that publicly exposed health records of up to 1,654 patients. The settlement includes civil penalties and permanently bars the owner from operating a business in New Jersey. The breach violated HIPAA and the New Jersey Consumer Fraud Act due to inadequate security and failure to promptly notify affected individuals.
$200K
Aetna, Inc. settled with New Jersey and other states over allegations that it improperly disclosed protected health information of thousands of individuals through mailings that revealed HIV/AIDS status and AFib study participation. The settlement requires Aetna to implement policy reforms, hire an independent consultant, and pay a civil penalty of $365,211.59 to New Jersey.
$365K
Uber Technologies, Inc. agreed to pay $148 million to settle a multi-state investigation into a data breach that compromised personal information of riders and drivers. The breach occurred in November 2016 but was not disclosed until November 2017. Uber must adopt new policies to safeguard consumer data.
$148.0M
Lightyear Dealer Technologies (DealerBuilt) settled an investigation into a 2016 data breach where a misconfigured file system exposed personal data, including social security numbers and bank information, of thousands of auto dealership customers nationwide. The settlement includes an $80,784 payment (with $20,000 suspended) and mandatory cybersecurity reforms.
$49K
Unixiz, Inc. agreed to shut down its i-Dressup teen social website and pay $98,618 in civil penalties to settle allegations that it violated COPPA by collecting personal information from over 2,500 New Jersey children without parental consent and failed to safeguard user data, leading to a 2016 data breach affecting more than 24,000 New Jersey residents.
$99K
Meitu, Inc. allegedly violated COPPA and the New Jersey Consumer Fraud Act by collecting personal information from children under 13 without parental consent. The settlement requires Meitu to pay a $100,000 civil penalty, update its privacy policies, and modify its apps to block data collection from children.
$100K
Virtua Medical Group agreed to pay $417,816 and implement a corrective action plan to settle allegations that it failed to properly secure electronic protected health information (ePHI). A vendor's server misconfiguration publicly exposed the medical records of over 1,650 patients via Google searches. The New Jersey Division of Consumer Affairs found VMG violated HIPAA's Security and Privacy Rules by not adequately vetting the vendor's security and failing to conduct proper risk analysis.
$418K
The New Jersey Attorney General announced an investigation into how the personal information of millions of Facebook users was harvested and obtained by Cambridge Analytica, a UK-based data analytics company. The AG expressed concern that Facebook may have allowed the harvesting and monetization of user data despite promises to keep it secure.
New Jersey Attorney General Christopher Porrino announced that New Jersey has joined a multi-state investigation into Equifax following a data breach affecting 143 million consumers. The multi-state group sent a letter demanding Equifax disable fee-based credit monitoring services and reimburse consumers for credit freeze fees with other bureaus, citing unfair practices and a months-long delay in breach disclosure.
New Jersey joined 31 other states and the FTC in a $3.5 million settlement with Lenovo for pre-installing VisualDiscovery ad software on laptops that created a 'man-in-the-middle' security vulnerability, intercepting users' encrypted data without adequate disclosure or opt-out mechanisms. The settlement requires Lenovo to improve transparency, obtain affirmative consent, provide effective opt-out tools, and implement a long-term security compliance program with independent audits.
$3.5M
Nationwide Insurance settled a multi-state investigation into a 2012 data breach that exposed personal information of 1.27 million consumers due to failure to apply a security patch. The settlement requires enhanced security practices, hiring a Technology Officer, and a $5.5 million payment to the states.
$5.5M
Target Corp. agreed to pay $18.5 million to resolve a multi-state investigation into the November 2013 data breach that compromised payment card information of over 41 million shoppers. The settlement requires Target to implement comprehensive cybersecurity reforms, including a dedicated Information Security Program, encryption, network segmentation, and third-party assessments.
$18.5M
Horizon Blue Cross Blue Shield of New Jersey agreed to pay $926,803 in civil penalties and implement a corrective action plan to settle allegations that it failed to encrypt laptops containing protected health information, violating HIPAA/HITECH and the New Jersey Consumer Fraud Act.
$927K
VIZIO and Inscape settled allegations that they collected viewing data from Smart TVs without adequate disclosure and consent, selling it to third parties. They agreed to pay $1 million to New Jersey, destroy collected data, and implement privacy measures including obtaining consumer consent and establishing a privacy program.
$1.0M
The New Jersey Division of Consumer Affairs settled with DealerApp, a mobile app developer for auto dealerships, for allegedly collecting and transmitting consumer personal information without notice or consent. DealerApp agreed to pay a $38,000 civil penalty and implement measures to disclose data practices and obtain consent for third-party sharing.
$38K
The New Jersey Attorney General and FTC settled with app developer Equiliv Investments and Ryan Ramminger for distributing the Prized app that contained malware to mine cryptocurrency without user consent. The settlement prohibits such activities, requires record-keeping for 20 years, and imposes a $5,200 penalty with an additional $44,800 suspended.
$5K
The New Jersey Division of Consumer Affairs obtained a consent decree against Jeremy Rubin, developer of Tidbit Bitcoin-mining software, for accessing New Jersey computers without users' knowledge or consent. The settlement includes a suspended $25,000 monetary penalty and prohibits future unauthorized access, requiring clear notification and verifiable consent.
$25K
The New Jersey Attorney General settled with Dokogeo, the developer of the Dokobots app, for violating COPPA by collecting personal information from children without parental consent. The settlement requires Dokogeo to disclose its data practices, stop collecting children's data, delete existing children's data, and pay a suspended $25,000 penalty.
$25K
Dataium settled allegations that it used history sniffing to track consumers' online browsing without consent and sold personal data of 400,000 consumers to a data broker without notice. The settlement imposes a $400,000 monetary penalty, requires a privacy program, and mandates transparency and opt-out mechanisms.
$400K
New Jersey joined a multi-state settlement with Google alleging that Google circumvented Safari browser's default privacy settings to plant third-party cookies without user consent. Google agreed to pay $17 million and implement injunctive relief to prevent such conduct and improve transparency.
$17.0M
PulsePoint circumvented Safari browser privacy settings to place unauthorized cookies, enabling targeted advertising without user consent. The New Jersey Division of Consumer Affairs secured a $1 million settlement, including a $566,200 civil penalty, and mandated privacy reforms such as third-party assessments and website disclosures.
$566K
Google settled multi-state allegations that it collected personal data from unsecured wireless networks during Street View operations without user consent. The settlement requires Google to destroy the collected data, refrain from future non-consensual collection, implement a 10-year employee privacy training program, and run a public advertising campaign. New Jersey's share of the settlement is approximately $147,000.