Federal and state enforcement actions involving unauthorized data sharing violations, tracked from official government sources.
221
Total Actions
$11.1M
Total Fines
12
Jurisdictions
Texas Attorney General Ken Paxton launched an investigation into Meta's Meta AI Glasses over allegations of unlawful facial biometric data collection, deceptive privacy practices, and unauthorized sharing of user data with subcontractors. The investigation follows concerns that the glasses' always-on recording mode lacks proper user notice, planned facial recognition features would collect data without consent, and private user videos are accessed by third-party annotators in Kenya. The AG issued a Civil Investigative Demand to Meta to determine violations of Texas privacy laws.
Texas Attorney General Ken Paxton launched an investigation into Meta regarding its Meta AI Glasses, alleging unlawful collection of facial biometric data, deceptive privacy representations, and unauthorized sharing of user data with subcontractors. The investigation follows concerns that the glasses’ always-on recording mode lacks proper notice, subcontractors access private user content including intimate moments, and Meta plans to deploy facial recognition technology to collect unsuspecting individuals’ facial geometry. The AG issued a Civil Investigative Demand to determine if Meta violated Texas law by deceptively misrepresenting its data use practices.
Texas Attorney General Ken Paxton initiated an investigation into Drone Nerds, LLC over its partnership with CCP-affiliated Anzu Robotics, which markets drones with concealed surveillance capabilities and unauthorized data collection risks. Drone Nerds is accused of deceiving Texas consumers by misrepresenting Anzu’s ties to China and falsely claiming the drones are U.S.-based with secure privacy practices. The investigation is being conducted under the Texas Deceptive Trade Practices Act, with a Civil Investigative Demand issued to gather evidence of consumer deception and privacy violations.
The FTC settled charges with data broker Kochava, Inc. and its subsidiary Collective Data Solutions (CDS) over allegations that they sold precise location data from hundreds of millions of mobile devices without consumer consent, enabling tracking of visits to sensitive locations like reproductive health clinics and places of worship. The settlement prohibits the companies from selling or sharing sensitive location data without affirmative express consumer consent, and imposes compliance requirements including a sensitive location data program, supplier consent assessments, incident reporting, and data retention schedules. No monetary penalty was imposed.
The FTC settled with Humor Rainbow, Inc. (operator of OkCupid) and Match Group Americas over allegations that OkCupid deceived users by sharing personal data including photos and location information with an unauthorized third party, contrary to its privacy policy promises to inform users and provide opt-out opportunities. The settlement permanently prohibits the companies from misrepresenting their data collection, use, disclosure, and privacy control practices. No monetary penalty was imposed.
Privacy enforcement action where Oregon AG and a coalition of 16 other states sue the Trump Administration to stop the Department of Education's new IPEDS data reporting requirements, arguing they jeopardize student privacy, lack proper definitions, and risk data errors and identification.
The California Privacy Protection Agency settled with PlayOn Sports for $1.10 million over CCPA violations, including failing to provide adequate opt-out mechanisms and improperly tracking users, particularly students. The company must implement proper opt-out methods, improve disclosures, and comply with children's data consent requirements.
$1.1M
Attorney General Raoul secured a court order preventing the U.S. Department of Agriculture from collecting SNAP applicants' and recipients' personal data without an agreed-upon protocol that restricts sharing with unrelated entities like the Department of Homeland Security. The court found that the USDA's proposed protocol would violate federal law by allowing data use for immigration enforcement, contrary to the intended purpose of SNAP.
Massachusetts Attorney General Andrea Campbell secured a preliminary injunction from the U.S. District Court blocking the Trump Administration's USDA from cutting off SNAP funding to states that refuse to turn over personal data of SNAP applicants and recipients. The court found USDA's proposed data protocol unlawful because it allowed sharing data with entities unrelated to federal benefits administration.
California Attorney General Rob Bonta secured a second preliminary injunction from the U.S. District Court for the Northern District of California blocking the Trump Administration's demand that states turn over personal data of SNAP applicants and recipients. The court found the USDA's proposed data protocol would allow sharing of state data with entities unrelated to federal benefits administration, violating federal law.
Commonwealth Care Alliance (Health Plan, MA) reported a HIPAA breach affecting 634 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Weill Cornell Medicine (Healthcare Provider, NY) reported a HIPAA breach affecting 516 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
Texas Attorney General Ken Paxton filed a lawsuit against Shein US Services LLC for selling toxic products and exposing consumers' personal data to the Chinese Communist Party. The lawsuit seeks monetary penalties under the Texas Deceptive Trade Practices Act. This action is part of a broader effort to protect Texans from health risks and CCP influence.
Texas Attorney General Ken Paxton filed a lawsuit against Temu (PDD Holdings, Inc. and WhaleCo Inc.) for deceptive marketing practices and illegally harvesting Texans' personal data, which was then exposed to the Chinese Communist Party. The suit seeks monetary damages under the Texas Deceptive Trade Practices Act, with potential penalties of up to $10,000 per violation and higher for seniors. This is part of a broader effort to hold CCP-aligned companies accountable.
Texas Attorney General Ken Paxton filed a lawsuit against PDD Holdings, Inc. and WhaleCo Inc., doing business as Temu, for deceptive marketing and unlawful covert harvesting of Texans’ personal data that was exposed to the Chinese Communist Party. The suit alleges Temu functions as a 'trojan horse' e-commerce app that bypasses security protocols to create a backdoor into users’ private data, which is stored on servers in China. The lawsuit seeks monetary relief under the Texas Deceptive Trade Practices Act, including up to $10,000 per violation and up to $250,000 per violation targeting consumers aged 65 or older.
Texas Attorney General Ken Paxton filed a lawsuit against TP-Link Systems Inc. for deceptively marketing its networking devices and enabling the Chinese Communist Party to access American consumers' devices. The lawsuit alleges that TP Link's products have been used by PRC state-sponsored hackers and that the company is subject to Chinese laws requiring data disclosure. This is part of a coordinated effort to hold China-aligned companies accountable under Texas law.
Communications Workers of America Local 1180 Security Benefits Fund (Health Plan, NY) reported a HIPAA breach affecting 18,550 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record, Other.
The Federal Trade Commission (FTC) sent warning letters to 13 data brokers reminding them of their obligations under the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA). PADFAA prohibits data brokers from selling or providing sensitive personal data about Americans to foreign adversaries such as China, Russia, Iran, and North Korea. The letters warn that violations could result in civil penalties of up to $53,088 per violation and urge companies to review their business practices for compliance.
The FTC issued warning letters to 13 data brokers reminding them of their obligations under the Protecting Americans' Data from Foreign Adversaries Act (PADFAA), which bans the sale or disclosure of sensitive personal data to foreign adversaries like China, Russia, Iran, and North Korea. The letters cite instances where recipients offered data on Armed Forces members, which is protected under PADFAA. Non-compliance could result in civil penalties up to $53,088 per violation.
The Florida Attorney General's Office launched the CHINA Prevention Unit and issued a subpoena to Shein for deceptive trade practices and data privacy violations. The unit focuses on combating threats from foreign adversaries like the Chinese Communist Party to consumer data and economic security. This action is part of broader efforts to audit and hold accountable companies with ties to China.
Health and Hospital Corporation of Marion County (Healthcare Provider, IN) reported a HIPAA breach affecting 792 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email, Laptop.
Lincoln National Corporation d/b/a/ Lincoln Financial (Health Plan, IN) reported a HIPAA breach affecting 998 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
A bipartisan coalition of 35 state attorneys general led by New York Attorney General Letitia James sent a demand letter to xAI on January 26, 2026, requiring the company to address its Grok chatbot’s creation and sharing of nonconsensual intimate images, including child sexual abuse material. The AGs demand that xAI implement safeguards to prevent Grok from generating such content, delete existing harmful content, suspend offending users, and give X users control over whether their content can be edited by Grok. No monetary penalty has been imposed as this is a pre-enforcement demand for action.
California Attorney General Rob Bonta, alongside attorneys general from New York, Colorado, Illinois, and Minnesota, filed a motion for preliminary injunction to continue blocking the Trump Administration's unlawful freeze of $10 billion in federal funding for child care and family assistance programs and to prevent broad data requests for personally identifiable information of millions of residents. The funding freeze targets five Democratic-led states without evidence of fraud, and the data requests are part of the challenged unlawful actions. A temporary restraining order was previously granted blocking these measures.
Minnesota Department of Human Services (Health Plan, MN) reported a HIPAA breach affecting 303,965 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Privacy enforcement action where the FTC settled with General Motors and OnStar for collecting and selling consumers' geolocation and driving behavior data without adequate notice or consent. The order prohibits sharing data with consumer reporting agencies and requires transparency and consumer choice measures.
TMG Health, Inc. (Business Associate, TX) reported a HIPAA breach affecting 2,076 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Illinois Department of Human Services (Health Plan, IL) reported a HIPAA breach affecting 705,017 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
California Attorney General Rob Bonta, on behalf of a multistate coalition, filed a motion in U.S. District Court to enforce a preliminary injunction that blocks the Trump Administration from demanding personal and sensitive information about Supplemental Nutrition Assistance Program (SNAP) recipients. The Administration has renewed its demand, threatening to withhold administrative funding from states that do not comply, which the AG argues violates the existing court order and federal law protecting the confidentiality of SNAP applicant data.
Massachusetts Attorney General Andrea Campbell filed a motion to enforce a preliminary injunction against the Trump Administration's demands for personal data of SNAP recipients. The court previously blocked such demands, but the administration renewed its request, threatening to withhold funding. The AG seeks to ensure compliance with federal privacy laws and protect SNAP recipients' sensitive information.
Exact Sciences Laboratories LLC (Healthcare Provider, WI) reported a HIPAA breach affecting 2,658 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
CareOregon (Health Plan, OR) reported a HIPAA breach affecting 5,473 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
BlueCross BlueShield of Tennessee, Inc. (Business Associate, TN) reported a HIPAA breach affecting 780 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
Riverland Community Health (Healthcare Provider, MN) reported a HIPAA breach affecting 940 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
York Hospital (Healthcare Provider, ME) reported a HIPAA breach affecting 1,259 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
TapestryHealth (Healthcare Provider, CT) reported a HIPAA breach affecting 6,494 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Other.
Anesthesiology & Pain Consultants, LLC (Healthcare Provider, LA) reported a HIPAA breach affecting 538 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Other Portable Electronic Device.
Texas Attorney General Ken Paxton filed a lawsuit against Sony, Samsung, LG, Hisense, and TCL Technology Group for using Automated Content Recognition (ACR) technology to collect Texans' viewing data without proper consent. A temporary restraining order was secured against Hisense to halt all data collection and sharing. The AG issued a consumer alert with instructions to disable ACR on smart TVs.
Texas Attorney General Ken Paxton obtained a temporary restraining order against Hisense, a Chinese smart TV manufacturer, to halt its collection of Texans' personal data through Automated Content Recognition technology without consent. The technology captures every sound and image on the TVs every 500 milliseconds and sells the data, with access granted to the Chinese Communist Party. The TRO prohibits Hisense from collecting, using, selling, sharing, disclosing, or transferring ACR data about Texans while the case continues.
Texas Attorney General Ken Paxton has filed lawsuits against five major TV manufacturers—Sony, Samsung, LG, Hisense, and TCL—for unlawfully collecting Texans' viewing data using Automated Content Recognition (ACR) technology without their knowledge or consent. The ACR software captures screenshots of TV displays every 500 milliseconds and transmits the data to the companies, which then sell it for targeted advertising. The AG's office alleges these practices violate Texas privacy laws and seeks to enjoin the companies from continuing the surveillance.
Texas Attorney General Ken Paxton filed a lawsuit against five major TV manufacturers—Sony, Samsung, LG, Hisense, and TCL—for illegally collecting consumers' viewing data through Automated Content Recognition (ACR) technology without knowledge or consent. The companies capture screenshots and monitor TV usage in real-time, then sell the data for targeted advertising, risking sensitive information. The suit seeks to halt these invasive practices and protect Texans' privacy.
FPMCM LLC (Business Associate, TN) reported a HIPAA breach affecting 2,072 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
OCAT, LLC dba Evoke Wellness at Hilliard (Healthcare Provider, OH) reported a HIPAA breach affecting 1,629 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
Heart of Texas Behavioral Health Network (Healthcare Provider, TX) reported a HIPAA breach affecting 1,309 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Florida Attorney General James Uthmeier issued an investigative subpoena to TP-Link Systems Inc. as part of a consumer protection investigation into the company’s cybersecurity practices, supply-chain infrastructure, and handling of U.S. consumer data, including allegations of unauthorized data sharing with the Chinese Communist Party. The probe will determine if TP-Link misled customers about foreign government access to their personal data, which would violate the Florida Deceptive and Unfair Trade Practices Act, with no findings of wrongdoing yet.
ConvenientMD LLC (Healthcare Provider, NH) reported a HIPAA breach affecting 1,332 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
California Attorney General Rob Bonta co-led a coalition of 18 attorneys general in submitting a comment letter opposing the Department of Homeland Security's expansion of the Systematic Alien Verification for Entitlements (SAVE) program to include U.S.-born citizens. The coalition argues the expansion violates the Privacy Act of 1974, creates a massive surveillance database, increases data breach risks, and will lead to inaccurate verifications and denial of benefits.
Henry Ford Health (Healthcare Provider, MI) reported a HIPAA breach affecting 1,984 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Desktop Computer.
Connecticut Attorney General William Tong joined a bipartisan coalition of nine states in a $7 million settlement with Greystar Management Services LLC, the largest U.S. landlord, for anticompetitive algorithmic pricing practices. Greystar shared competitively sensitive data with competitors via RealPage's algorithms and discussed pricing strategies, leading to inflated rents. The consent decree prohibits such conduct, requires monitoring if using uncertified algorithms, and bars participation in RealPage competitor meetings.
$7.0M
Marrs Ear, Nose & Throat, PA (Healthcare Provider, FL) reported a HIPAA breach affecting 6,376 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
West Suburban Eye Surgery Center LLC (Business Associate, MA) reported a HIPAA breach affecting 500 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
Incyte Pathology, P.S. (Healthcare Provider, WA) reported a HIPAA breach affecting 629 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
Better Vision Eyecare, LLC (Healthcare Provider, AZ) reported a HIPAA breach affecting 501 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
Legacy Health, LLC (Business Associate, TX) reported a HIPAA breach affecting 6,547 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
Express Canna Cards, LLC (Healthcare Provider, FL) reported a HIPAA breach affecting 5,000 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
New York Attorney General Letitia James settled with public accounting firm Wojeski & Company over two data breaches in 2023 and 2024 that exposed personal information of over 4,700 New York residents, including social security numbers and medical benefits. The firm failed to implement adequate data security measures, did not encrypt sensitive data, and delayed notifying affected consumers of the breaches for over a year. Wojeski must pay $60,000 in penalties and implement enhanced cybersecurity measures including encryption, incident response plans, and employee training.
$60K
Florida Attorney General James Uthmeier filed a civil enforcement action against Roku, Inc. for violating the Florida Digital Bill of Rights (FDBOR) and Florida Deceptive and Unfair Trade Practices Act (FDUTPA). The complaint alleges Roku collected, sold, and enabled reidentification of children’s sensitive personal data, including viewing habits and voice recordings, without parental consent or meaningful notice to consumers. The state seeks civil penalties, injunctive relief, and requirements for Roku to implement transparent disclosures, lawful parental controls, and cease unauthorized processing of children’s data.
The Texas Attorney General opened an investigation into TP-Link Systems Inc. for potentially allowing the Chinese government to access Texans' consumer data through back doors in networking equipment. The investigation will examine whether TP Link violated Texas privacy law by misleading consumers about its independence and improperly collecting or disclosing data. This follows a prior privacy notice violation issued to the company.
Arizona Health Care Cost Containment System- State Medicaid Agency (Health Plan, AZ) reported a HIPAA breach affecting 3,177 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
Florida Health Sciences Center, Inc (Healthcare Provider, FL) reported a HIPAA breach affecting 896 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Harris County Hospital District d/b/a Harris Health (Healthcare Provider, TX) reported a HIPAA breach affecting 5,357 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
California Attorney General Rob Bonta filed a lawsuit against the City of El Cajon for unlawfully sharing Automated License Plate Reader (ALPR) data with over 100 out-of-state law enforcement agencies, violating state law that restricts such data to California public agencies. The AG is seeking a court order to halt the sharing and compel compliance with state privacy protections.
The California Privacy Protection Agency (CPPA) settled with Tractor Supply Company for $1.35 million over violations of the California Consumer Privacy Act (CCPA). The violations included failing to maintain a proper privacy policy, not notifying job applicants of their rights, lacking an effective opt-out mechanism, and sharing personal information without adequate contracts. Tractor Supply must pay the fine and implement remedial measures such as scanning digital properties and annual compliance certification.
$1.4M
Weekend Health, LLC (Business Associate, NY) reported a HIPAA breach affecting 1,643 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Blue Shield of California (Business Associate, CA) reported a HIPAA breach affecting 607 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Gainwell Technologies LLC (Business Associate, TX) reported a HIPAA breach affecting 912 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Other.
VIVA Health (Health Plan, AL) reported a HIPAA breach affecting 4,945 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Other.
A coalition of 21 state attorneys general led by New York Attorney General Letitia James obtained a temporary restraining order from the District Court for the Northern District of California blocking the USDA from demanding personally identifiable information of all SNAP recipients, including Social Security numbers, home addresses, and immigration statuses. The lawsuit argued that the USDA’s demand violated federal and state laws prohibiting disclosure of SNAP data except in narrow circumstances, and that the data would be used for immigration enforcement against recipients. The order also prohibits the USDA from withholding SNAP funding from plaintiff states that refuse to comply with the data demand.
Health & Palliative Services of the Treasure Coast, Inc d/b/a Treasure Coast Hospice (“Treasure Health ”) (Healthcare Provider, FL) reported a HIPAA breach affecting 13,230 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
New York Attorney General Letitia James and a coalition of 20 other states sued the U.S. Department of Agriculture to stop its demand for personal information of SNAP recipients for immigration enforcement. The District Court issued a temporary restraining order blocking USDA's demand and preventing funding cuts, citing violations of laws protecting SNAP data confidentiality.
Munson Healthcare (Healthcare Provider, MI) reported a HIPAA breach affecting 1,186 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Western Skies Wellness LLC (Healthcare Provider, OR) reported a HIPAA breach affecting 1,700 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record, Other.
Florida Attorney General James Uthmeier issued a subpoena to Lorex as part of an ongoing consumer protection and data privacy investigation. The probe examines Lorex’s ties to Dahua Technology and potential foreign spying risks, including unauthorized access to children’s data, and whether the company misled consumers about the privacy and security of its camera products and apps. The subpoena seeks documents related to corporate structure, third-party contracts, software update origins, data center locations, security vulnerabilities, and marketing claims about privacy and security.
Prime Therapeutics LLC (Business Associate, MN) reported a HIPAA breach affecting 2,266 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Laptop.
Independent Health Association, Inc. (Health Plan, NY) reported a HIPAA breach affecting 637 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Other.
Attorney General William Tong is seeking a preliminary injunction to block the U.S. Department of Agriculture from forcing states to share private data of SNAP participants, including social security numbers and shopping history. USDA is threatening to cut off administrative funding if states do not comply, which AG Tong argues violates federal privacy laws and the Constitution.
Texas Attorney General Ken Paxton has opened an investigation into Meta AI Studio and Character.AI for deceptive practices in marketing AI chatbots as mental health services to children. The platforms are accused of impersonating licensed professionals, fabricating qualifications, and exploiting user data for advertising without proper disclosure. Civil Investigative Demands have been issued to examine violations of Texas consumer protection laws and the SCOPE Act.
Bevel Health Medical Group (Healthcare Provider, PA) reported a HIPAA breach affecting 510 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
Zelis Healthcare LLC (Business Associate, MA) reported a HIPAA breach affecting 4,289 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
UnitedHealthcare (Health Plan, CT) reported a HIPAA breach affecting 3,215 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Berkshire Health Systems, Inc. (Healthcare Provider, MA) reported a HIPAA breach affecting 1,421 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
Attorney General William Tong, leading a coalition of 22 states, filed a lawsuit against the U.S. Department of Agriculture for demanding that states disclose sensitive personal data of SNAP recipients. The demand violates federal privacy laws and the Constitution, and threatens to withhold critical funding. The lawsuit seeks to block USDA from conditioning SNAP administrative funds on data disclosure.
University of Miami (Healthcare Provider, FL) reported a HIPAA breach affecting 2,928 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Electronic Medical Record.
New York Attorney General Letitia James, joined by 20 other states and Kentucky, filed a lawsuit challenging the Trump administration's policy requiring states to disclose personal information of SNAP recipients to federal agencies. The policy violates privacy laws by demanding sensitive data like Social Security numbers for potential immigration enforcement. The coalition seeks a court injunction to stop the illegal data sharing.
New Jersey Attorney General Matthew J. Platkin joined a coalition of 20 attorneys general in filing a lawsuit against the U.S. Department of Agriculture (USDA) for demanding that states turn over sensitive personal information of SNAP recipients, including Social Security numbers and addresses. The lawsuit argues that this demand violates federal privacy laws and the Constitution, as the data is protected and should only be used for program administration. The coalition seeks to block USDA from conditioning SNAP funding on compliance with this demand.
New York Attorney General Letitia James joined a multistate coalition of 21 attorneys general and Kentucky in filing a lawsuit against the U.S. Department of Agriculture (USDA) challenging its illegal demand for personally identifiable information of over 40 million SNAP recipients. The coalition alleges the USDA’s requirement that states turn over SNAP recipients’ Social Security numbers, addresses, and immigration statuses violates federal and state laws prohibiting disclosure of SNAP data for non-program purposes, and that the data will be shared across federal agencies for unauthorized immigration enforcement. The coalition seeks a declaratory judgment declaring the policy illegal and a nationwide injunction preventing enforcement of the data demand.
Massachusetts Attorney General Andrea Campbell, joined by a coalition of 21 states and Kentucky, filed a lawsuit challenging the U.S. Department of Agriculture's demand that states turn over sensitive personal data of SNAP recipients. The lawsuit argues that this demand violates federal privacy laws and the Spending Clause, threatening the privacy of millions of low-income families and coercing states by threatening funding cuts.
Blue Shield of California (Health Plan, CA) reported a HIPAA breach affecting 783 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Laptop, Network Server, Other.
California Attorney General Rob Bonta announced a $1.55 million settlement with health information website publisher Healthline Media LLC, resolving allegations that the company violated the CCPA and Unfair Competition Law. Violations included failing to honor consumer opt-out requests, sharing sensitive health data with third parties without required privacy protections, and using deceptive consent banners that did not disable tracking cookies. The settlement imposes injunctive terms, compliance requirements, and a civil penalty, marking the largest CCPA settlement to date.
$1.6M
Clinical Practices of the University of Pennsylvania (Healthcare Provider, PA) reported a HIPAA breach affecting 1,432 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Minneapolis VA Medical Center (Healthcare Provider, MN) reported a HIPAA breach affecting 1,099 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Blue Shield of California (Business Associate, CA) reported a HIPAA breach affecting 673 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
Winkler County Hospital District (Healthcare Provider, TX) reported a HIPAA breach affecting 637 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
Florida Attorney General James Uthmeier issued subpoenas to Contec and Epsimed for selling medical devices that transmit patient data to China without adequate security. The companies are accused of violating Florida's Deceptive and Unfair Trade Practices Act by misrepresenting FDA approval and concealing cybersecurity vulnerabilities. The AG seeks damages, civil penalties, and injunctive relief to protect consumers.
Florida Attorney General James Uthmeier issued subpoenas to Contec, a Chinese medical device manufacturer, and Epsimed, a Miami-based reseller, over allegations that their patient monitors contain backdoors and automatically transmit patient data to China without consent. The companies are accused of violating Florida's Deceptive and Unfair Trade Practices Act by omitting material security vulnerabilities andmaking false representations about FDA approval and product quality. The AG may seek damages, civil penalties, and injunctive relief in future enforcement.
AltaMed Health Services Corporation (Healthcare Provider, CA) reported a HIPAA breach affecting 4,530 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
Texas Attorney General Ken Paxton filed a lawsuit in the 23andMe bankruptcy case to prevent the sale of Texans' genetic data without proper consent. The action seeks to confirm Texans' property rights over their genetic information under the Texas Data Privacy and Security Act and the Texas Direct-to-Consumer Genetic Testing Act. The AG argues that 23andMe's proposed asset sale would violate Texas law requiring separate express consent for disclosure of genetic information.
New York Attorney General Letitia James, joined by 27 other state attorneys general and the District of Columbia, filed a lawsuit against 23andMe to block the company’s planned sale of 15 million customers’ genetic and health data without their consent or knowledge. The coalition argues 23andMe must comply with state laws requiring express informed consent for the sale or transfer of sensitive genetic data. The lawsuit seeks to prevent misuse, exposure in future breaches, and unauthorized use of customers’ private genetic information.
Connecticut joined a coalition of 28 attorneys general to object to 23andMe's proposed sale of genetic data in bankruptcy without customer consent. The states argue such sensitive information requires express consent and cannot be sold like ordinary property. Attorney General Tong also advised consumers to delete their data and genetic samples.
Centivo Corporation (Business Associate, GA) reported a HIPAA breach affecting 630 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.