Federal and state enforcement actions involving breach notification delay violations, tracked from official government sources.
22
Total Actions
$437.3M
Total Fines
6
Jurisdictions
The FTC proposed a consent order against Illuminate Education, Inc. for failing to secure student data, leading to a breach affecting over 10 million students. The company allegedly had security failures and delayed breach notifications. The order requires a data security program, data deletion, and a retention schedule.
New York Attorney General Letitia James settled with public accounting firm Wojeski & Company over two data breaches in 2023 and 2024 that exposed personal information of over 4,700 New York residents, including social security numbers and medical benefits. The firm failed to implement adequate data security measures, did not encrypt sensitive data, and delayed notifying affected consumers of the breaches for over a year. Wojeski must pay $60,000 in penalties and implement enhanced cybersecurity measures including encryption, incident response plans, and employee training.
$60K
Massachusetts Attorney General Andrea Joy Campbell announced a $795,000 settlement with Peabody Properties, Inc. for failing to protect personal information and delaying breach notifications after multiple data breaches exposed nearly 14,000 residents' sensitive data. The consent decree requires payment to the Commonwealth and implementation of comprehensive cybersecurity measures.
$795K
New York Attorney General Letitia James filed a lawsuit against National General and Allstate Insurance Company for two data breaches in 2020 and 2021 that exposed the driver’s license numbers of over 165,000 New York residents. The AG alleges National General failed to implement reasonable data security measures, did not notify consumers or state agencies of the first breach, and left systems vulnerable to a second larger breach after Allstate took over data security operations. The AG is seeking monetary penalties and an injunction to prevent further violations.
New York Attorney General Letitia James reached a $250,000 settlement with National Amusements, Inc. after an investigation found the movie theater operator failed to implement adequate data security, leading to a breach exposing personal information of over 23,000 New York employees. The company also violated the New York Shield Act by delaying notification to affected individuals for more than a year after the breach. As part of the settlement, National Amusements must pay the penalty and implement enhanced cybersecurity measures including encryption, password policies, and an incident response plan.
$250K
New York Attorney General Letitia James reached a settlement with Albany ENT & Allergy Services (AENT) over two 2023 ransomware attacks that compromised the medical records of over 200,000 New Yorkers. The OAG found AENT failed to maintain reasonable data security safeguards, inadequately oversaw third-party security vendors, and initially failed to disclose all exposed consumer data to the state. AENT will pay $1 million in penalties (with $500,000 suspended pending $2.25 million in security investments) and implement comprehensive data security measures including encryption, multi-factor authentication, and vendor oversight.
$1.0M
Connecticut Attorney General William Tong urged residents to enroll in free credit monitoring and identity theft protection following the Change Healthcare cyberattack in February 2024, which exposed sensitive health data. The breach potentially impacted up to one-third of Americans, but Change Healthcare has failed to provide individual notice to affected consumers. The AG joined other attorneys general in April 2024 to demand that UnitedHealth Group take more meaningful action to protect those harmed.
California Attorney General Rob Bonta announced a $6.75 million settlement with software company Blackbaud over a 2020 data breach that exposed consumers' personal information including Social Security numbers, bank account details, and medical data. Blackbaud was found to have inadequate data security practices, failed to timely and accurately notify impacted individuals of the breach, and made misleading public disclosures about the breach and its pre-breach security measures. The settlement requires Blackbaud to pay penalties and implement enhanced data security and breach notification protocols.
$6.8M
The FTC proposed a consent order against Global Tel*Link Corp. for failing to secure sensitive user data, leading to a breach affecting nearly 650,000 consumers, and for delaying notification for about nine months. The order requires the company to implement a comprehensive security program, notify affected users with credit monitoring, and report future breaches promptly.
Blackbaud, a cloud company providing donor management software, experienced a 2020 data breach exposing personal information of millions of donors through its nonprofit customers. A multistate investigation found Blackbaud failed to implement adequate data security and delayed breach notifications. As a result, Blackbaud agreed to pay $49.5 million and overhaul its security practices.
$49.5M
Blackbaud, a software company, experienced a ransomware attack in 2020 that exposed sensitive personal information, including protected health data, due to inadequate security practices and delayed breach notification. A multistate investigation resulted in a $49.5 million settlement, requiring Blackbaud to enhance data security, implement breach response plans, and undergo third-party assessments.
$49.5M
The FTC charged Easy Healthcare Corporation, operator of the Premom fertility app, with deceiving users by sharing their sensitive health data with third parties for advertising without consent and failing to notify breaches as required by the Health Breach Notification Rule. Under a proposed consent decree, the company will pay a $100,000 civil penalty, be barred from sharing health data for advertising, and must implement privacy and security measures.
$100K
The FTC finalized an order against CafePress for failing to secure consumer data and covering up a data breach. The company must implement comprehensive security measures, and its former owner must pay $500,000 in redress to victims.
$500K
Connecticut, co-leading a multistate investigation, secured a $1.25 million settlement with Carnival Cruise Line over a 2019 data breach affecting approximately 180,000 individuals nationwide. The breach exposed sensitive data including passport numbers, driver's licenses, payment card information, and health data, with a 10-month delay in notification. Carnival agreed to implement enhanced email security measures, a breach response plan, and an independent security assessment.
$1.3M
New Jersey, as part of a multistate coalition, settled with Carnival Cruise Line over a 2019 data breach that compromised personal information of approximately 180,000 employees and customers nationwide. The breach resulted from deficiencies in Carnival's data security program and delayed breach notification. Carnival will pay $1.25 million and implement enhanced email security and breach response measures.
$1.3M
The FTC settled with CafePress for failing to implement reasonable data security measures, leading to multiple breaches that exposed Social Security numbers and other sensitive data. As part of the settlement, over $370,000 in refunds are being distributed to 20,044 consumers who filed valid claims.
$370K
New Jersey participated in a multi-state settlement resolving an investigation into a 2017 data breach at Sabre Hospitality Solutions. Intruders accessed the company's hotel booking system from August 2016 to March 2017, compromising data from over 1.3 million consumer credit cards, including CVV numbers and expiration dates. Sabre failed to promptly notify affected consumers. The $2.4 million settlement requires Sabre to implement enhanced data security measures, develop a breach notification plan, clarify contractual responsibilities with client hotels, and undergo third-party security assessments.
$2.4M
California Attorney General Xavier Becerra, leading a multistate coalition of all 50 states, the District of Columbia, and Puerto Rico, announced a settlement with Equifax over a 2017 data breach that exposed personal information of 147 million consumers, including 15 million Californians. The breach resulted from Equifax’s failure to apply a critical software patch and implement adequate security measures, with disclosure delayed for months after discovery. Equifax will pay $175 million in state penalties, up to $425 million in consumer restitution, and implement enhanced data security measures and ten years of free credit monitoring for affected consumers.
$175.0M
ATA Consulting LLC, operating as Best Medical Transcription, settled for $200,000 over a 2016 server misconfiguration that publicly exposed health records of up to 1,654 patients. The settlement includes civil penalties and permanently bars the owner from operating a business in New Jersey. The breach violated HIPAA and the New Jersey Consumer Fraud Act due to inadequate security and failure to promptly notify affected individuals.
$200K
Uber Technologies, Inc. agreed to pay $148 million to settle a multi-state investigation into a data breach that compromised personal information of riders and drivers. The breach occurred in November 2016 but was not disclosed until November 2017. Uber must adopt new policies to safeguard consumer data.
$148.0M
Virtua Medical Group agreed to pay $417,816 and implement a corrective action plan to settle allegations that it failed to properly secure electronic protected health information (ePHI). A vendor's server misconfiguration publicly exposed the medical records of over 1,650 patients via Google searches. The New Jersey Division of Consumer Affairs found VMG violated HIPAA's Security and Privacy Rules by not adequately vetting the vendor's security and failing to conduct proper risk analysis.
$418K
In 2013, the California Attorney General filed a complaint against Citibank, N.A. alleging that the bank failed to implement adequate security measures and did not properly notify customers about a data breach exposing personal and financial information. The complaint asserts violations of California's data breach notification law.