Privacy and consumer protection enforcement actions tracked from official New York Attorney General sources.
Official enforcement page35
Total Actions
$151.9M
Total Fines
New York Attorney General Letitia James, joined by 16 other states, sued the U.S. Department of Education over a new survey requiring colleges to submit extensive student data, arguing it violates the Administrative Procedure Act and threatens student privacy. The lawsuit seeks to block the mandate and prevent penalties for non-compliance.
New York Attorney General Letitia James sent a letter to Instacart demanding information about its algorithmic pricing practices after a study revealed significant price differences for the same products. The AG warns that Instacart may be violating the New York Algorithmic Pricing Disclosure Act by failing to clearly disclose the use of personal data for price setting.
New York Attorney General Letitia James secured a $500,000 settlement from OrthopedicsNY, LLP for failing to implement reasonable data security practices, which led to a cyber-attack stealing sensitive personal and health information of over 650,000 patients and employees. The settlement imposes penalties, requires funding for credit monitoring, and mandates enhanced security measures including multi-factor authentication and encryption.
$500K
Illuminate Education, Inc. experienced a data breach in 2022 that exposed personal information of millions of students due to inadequate security measures. A multistate investigation by New York, California, and Connecticut Attorneys General resulted in a $5.1 million settlement requiring Illuminate to enhance cybersecurity practices and pay penalties.
$5.1M
New York Attorney General Letitia James announced a settlement with accounting firm Wojeski & Company for failing to secure customer data, resulting in two data breaches that exposed personal information of over 4,700 New Yorkers. The firm delayed breach notification for over a year and had unauthorized employee access to data, leading to a $60,000 penalty and mandatory cybersecurity improvements.
$60K
New York Attorney General Letitia James secured $14.2 million in settlements from eight car insurance companies for failing to protect consumers' personal information. The companies' inadequate cybersecurity allowed hackers to steal driver's license numbers and other data through online quoting tools, impacting over 825,000 New Yorkers. The settlements require the companies to pay penalties and implement enhanced data security measures.
$14.2M
New York Attorney General Letitia James and a coalition of 20 other states sued the U.S. Department of Agriculture to stop its demand for personal information of SNAP recipients for immigration enforcement. The District Court issued a temporary restraining order blocking USDA's demand and preventing funding cuts, citing violations of laws protecting SNAP data confidentiality.
New York Attorney General Letitia James, joined by 20 other states and Kentucky, filed a lawsuit challenging the Trump administration's policy requiring states to disclose personal information of SNAP recipients to federal agencies. The policy violates privacy laws by demanding sensitive data like Social Security numbers for potential immigration enforcement. The coalition seeks a court injunction to stop the illegal data sharing.
New York Attorney General Letitia James, along with 27 other attorneys general, filed a lawsuit against 23andMe to prevent the auction of genetic data from 15 million customers without consent. The coalition argues that such sensitive information cannot be sold without express, informed consent and must adhere to state laws. The action seeks to protect consumer privacy and avert potential misuse or data breaches.
Root Insurance Company's online quoting system exposed plaintext driver's license numbers and personal information, allowing hackers to steal data from approximately 45,000 New Yorkers. The stolen information was used to file fraudulent unemployment claims. Root will pay $975,000 in penalties and implement enhanced data security measures, including a comprehensive security program and improved monitoring.
$975K
New York Attorney General Letitia James filed a lawsuit against National General Holdings Corp and Allstate Insurance Company for failing to protect personal information and notify consumers of data breaches. The breaches exposed driver's license numbers of over 165,000 New Yorkers due to poor cybersecurity. The AG is seeking monetary penalties and an injunction.
Saturn Technologies, developer of the Saturn app for high school students, failed to verify users' age and school affiliation, allowing unauthorized interactions and mishandling contact data. The settlement requires a $650,000 penalty and mandates privacy enhancements, including better verification, data deletion, and improved settings for minors.
$650K
New York Attorney General Letitia James led a multistate coalition to sue the Trump administration for allowing Elon Musk and DOGE unauthorized access to the Treasury Department's central payment system, exposing Americans' sensitive personal information. A federal court granted a preliminary injunction blocking this access and ordering the destruction of any obtained records.
A coalition of attorneys general sued the Trump administration for illegally granting Elon Musk and DOGE access to the Treasury Department's payment system, exposing sensitive personal data of millions of Americans. The court granted a temporary restraining order blocking further access and ordering destruction of obtained records. The states are seeking a preliminary injunction to continue the protection.
New York Attorney General Letitia James led a multistate lawsuit against Elon Musk and his Department of Government Efficiency (DOGE) for gaining unauthorized access to the U.S. Treasury's payment system, which contains Americans' sensitive personal data and controls vital funding. A federal judge granted a temporary restraining order blocking DOGE from accessing this data and requiring the destruction of any records already obtained, with a preliminary injunction hearing set for February 14, 2025.
New York Attorney General Letitia James led a coalition of 19 states in filing a lawsuit against the Trump administration for illegally granting Elon Musk and DOGE access to the Treasury's payment system, exposing Americans' sensitive personal information. The lawsuit seeks an injunction to halt this policy and a declaration that it is unlawful and unconstitutional.
New York Attorney General Letitia James secured a $450,000 settlement from three companies distributing eufy home security cameras for failing to secure private video footage. The investigation found that video streams were not properly encrypted and could be accessed without authentication. The companies must implement stronger security measures including comprehensive information security programs and regular vulnerability testing.
$450K
New York Attorney General Letitia James announced a settlement with Equifax Information Services, LLC for inaccurately reporting credit scores to lenders due to a coding error, which lowered consumers' scores and inflated costs for loans and insurance between March and April 2022. Equifax will pay $725,000 and implement safeguards to prevent future errors, with restitution for affected consumers.
$725K
New York Attorney General Letitia James secured a $500,000 consent decree from Noblr, an auto insurance company, for failing to protect the personal information of over 80,000 New Yorkers in a data breach. The breach exposed driver's license numbers and dates of birth, which scammers used to file fraudulent unemployment claims. Noblr is required to enhance its data security measures and pay penalties.
$500K
HealthAlliance, a Hudson Valley health care facility operator, failed to patch a known vulnerability in its system despite being notified by a vendor, leading to a cyber-attack that compromised the personal and medical data of 242,641 patients. The New York Attorney General secured a $1.4 million penalty, with $850,000 suspended due to financial constraints, and required HealthAlliance to implement comprehensive cybersecurity improvements including patch management and data inventory protocols.
$1.4M
GEICO and Travelers were fined $11.3 million for data breaches that exposed personal information of over 120,000 New Yorkers due to inadequate cybersecurity. The breaches involved driver's license numbers being stolen and used in fraudulent unemployment claims. The settlements mandate enhanced security measures and penalties.
$11.3M
National Amusements, Inc. suffered a data breach exposing personal information of over 23,000 New York employees due to inadequate security, including unenforced multifactor authentication. The company delayed breach notification for over a year, violating the New York Shield Act. As a result, National Amusements agreed to pay $250,000 in penalties and implement enhanced cybersecurity measures.
$250K
New York Attorney General Letitia James secured a settlement with Albany ENT & Allergy Services (AENT) after ransomware attacks compromised the medical records of over 200,000 patients. AENT failed to maintain adequate data security and did not properly disclose all affected data. The settlement requires AENT to pay $1 million in penalties and invest $2.25 million in cybersecurity improvements.
$1.0M
Marriott International agreed to a $52 million multistate settlement after a data breach exposed 131.5 million customers' personal information due to undetected intruders in Starwood's system from 2014 to 2018. The settlement mandates significant cybersecurity improvements, including third-party assessments, data minimization, and enhanced training.
$52.0M
New York Attorney General Letitia James and a coalition of 14 attorneys general filed lawsuits against TikTok for misleading about platform safety and violating COPPA by collecting children's data without parental consent. The lawsuits allege that TikTok's addictive features harm young people's mental health and that the company falsely claims its safety tools are effective. The coalition seeks to stop these practices and impose financial penalties.
New York Attorney General Letitia James, along with Connecticut and New Jersey attorneys general, secured a $4.5 million settlement from Enzo Biochem, Inc. for failing to protect patient health data, resulting in a ransomware attack that exposed personal information of approximately 2.4 million patients. Enzo agreed to pay the penalty and implement enhanced cybersecurity measures.
$4.5M
College Board licensed student data to third parties and used it for marketing without proper consent, violating New York law. The settlement requires College Board to pay $750,000 and prohibits future commercial use of student data from school-administered exams.
$750K
Refuah Health Center, Inc. failed to implement adequate data security measures, leading to a ransomware attack that compromised the personal and health information of approximately 250,000 New Yorkers. The New York Attorney General reached a settlement requiring Refuah to invest $1.2 million in cybersecurity improvements and pay $450,000 in penalties.
$450K
NewYork-Presbyterian Hospital used third-party tracking tools on its website that collected and shared patients' health information with tech companies without adequate safeguards, violating HIPAA. The hospital agreed to pay $300,000 and implement enhanced privacy policies, data deletion, and regular audits.
$300K
Morgan Stanley failed to properly decommission computer devices containing unencrypted customer data, leading to the sale of devices with personal information at auction and missing servers with potential data. A multistate coalition secured a $6.5 million settlement requiring Morgan Stanley to implement enhanced data security measures.
$6.5M
US Radiology Specialists, Inc. failed to upgrade its firewall, leading to a ransomware attack that compromised the personal and health data of over 198,000 patients, including 92,000 New Yorkers. The company agreed to pay $450,000 in penalties and implement comprehensive data security measures, including encryption and data deletion policies.
$450K
A coalition of 42 attorneys general filed a federal lawsuit against Meta, alleging that the company designed addictive features that harm youth mental health and violated COPPA by collecting children's data without parental consent. The lawsuit seeks injunctive relief, monetary penalties, and restitution.
New York Attorney General Letitia James secured a $350,000 settlement from Personal Touch Holding Corporation for failing to protect patient and employee data. A ransomware attack in January 2021 compromised the personal and medical information of approximately 316,845 New Yorkers due to inadequate security measures. As part of the agreement, Personal Touch must pay penalties, enhance its cybersecurity program, and provide free credit monitoring to affected individuals.
$350K
Blackbaud, a cloud company providing donor management software, experienced a 2020 data breach exposing personal information of millions of donors through its nonprofit customers. A multistate investigation found Blackbaud failed to implement adequate data security and delayed breach notifications. As a result, Blackbaud agreed to pay $49.5 million and overhaul its security practices.
$49.5M
Marymount Manhattan College suffered a data breach in 2021 affecting 99,097 New Yorkers. The New York Attorney General found that MMC failed to secure its network infrastructure and update security policies. As part of the agreement, MMC must invest $3.5 million over six years to improve data encryption, enable multi-factor authentication, and implement other security measures.