1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,285
Total Actions
14
Jurisdictions
$35.3B+
Total Fines Tracked
New York Attorney General Letitia James secured a $500,000 settlement with orthopedics practice OrthopedicsNY, LLP for failing to implement adequate data security measures, leading to a 2023 cyberattack that exposed personal and health information of approximately 656,000 patients and employees. The settlement requires OrthopedicsNY to pay the penalty, fund one year of free credit monitoring for affected individuals, and adopt enhanced data security practices including multifactor authentication, encryption, and annual risk assessments.
$500K
New York Attorney General Letitia James reached a $975,000 settlement with Root Insurance Company over a data breach that exposed the personal information of approximately 45,000 New York residents. The breach, discovered in January 2021, stemmed from Root’s inadequate data security measures, including unencrypted driver’s license numbers in quote PDFs and insufficient controls against automated attacks. In addition to the monetary penalty, Root must implement enhanced data security measures including a comprehensive information security program, data inventory, and monitoring systems.
$975K
New York Attorney General Letitia James settled with Saturn Technologies, developer of the Saturn social networking app for high school students, over failures to protect young users’ privacy. The Office of the Attorney General found the company disabled required email verification for thousands of schools, used inadequate age and identity checks, retained user contact data after access was revoked, and failed to maintain proper privacy records. Saturn will pay $650,000 in penalties and implement enhanced privacy protections for minor users, including mandatory bi-annual privacy setting reviews and data deletion requirements.
$650K
New York Attorney General Letitia James secured a $450,000 settlement from three companies distributing eufy-branded home security cameras for failing to implement adequate data security measures. The companies’ cameras had unencrypted video streams accessible without authentication, exposing private consumer footage. The settlement requires the companies to implement stronger security protocols, including encryption, vulnerability testing, and a comprehensive information security program.
$450K
New York Attorney General Letitia James announced a settlement with Equifax Information Services, LLC for inaccurately reporting credit scores to lenders due to a coding error, which lowered consumers' scores and inflated costs for loans and insurance between March and April 2022. Equifax will pay $725,000 and implement safeguards to prevent future errors, with restitution for affected consumers.
$725K
New York Attorney General Letitia James settled with auto insurance company Noblr for $500,000 over a data breach that exposed personal information of approximately 80,000 New York residents. The breach, discovered in January 2021, was caused by Noblr’s failure to implement reasonable data security safeguards, including exposing plaintext driver’s license numbers and failing to monitor site traffic for malicious activity. In addition to the monetary penalty, Noblr must enhance its data security program, implement monitoring systems, and maintain a data inventory of private information.
$500K
New York Attorney General Letitia James secured a $550,000 settlement from Hudson Valley health care operator HealthAlliance over a 2023 data breach that compromised the personal and medical information of 242,641 New Yorkers. The breach occurred after HealthAlliance failed to patch a known vulnerability in its web application system, allowing cyberattackers to exfiltrate patient and employee data. As part of the settlement, HealthAlliance must pay the penalty and implement enhanced cybersecurity measures including a comprehensive security program, patch management policy, and data inventory requirements.
$550K
New York Attorney General Letitia James reached a $250,000 settlement with National Amusements, Inc. after an investigation found the movie theater operator failed to implement adequate data security, leading to a breach exposing personal information of over 23,000 New York employees. The company also violated the New York Shield Act by delaying notification to affected individuals for more than a year after the breach. As part of the settlement, National Amusements must pay the penalty and implement enhanced cybersecurity measures including encryption, password policies, and an incident response plan.
$250K
New York Attorney General Letitia James reached a settlement with Albany ENT & Allergy Services (AENT) over two 2023 ransomware attacks that compromised the medical records of over 200,000 New Yorkers. The OAG found AENT failed to maintain reasonable data security safeguards, inadequately oversaw third-party security vendors, and initially failed to disclose all exposed consumer data to the state. AENT will pay $1 million in penalties (with $500,000 suspended pending $2.25 million in security investments) and implement comprehensive data security measures including encryption, multi-factor authentication, and vendor oversight.
$1.0M
College Board licensed student data to third parties and used it for marketing without proper consent, violating New York law. The settlement requires College Board to pay $750,000 and prohibits future commercial use of student data from school-administered exams.
$750K
Refuah Health Center, Inc. failed to implement adequate data security measures, leading to a ransomware attack that compromised the personal and health information of approximately 250,000 New Yorkers. The New York Attorney General reached a settlement requiring Refuah to invest $1.2 million in cybersecurity improvements and pay $450,000 in penalties.
$450K
NewYork-Presbyterian Hospital used third-party tracking tools on its website that collected and shared patients' health information with tech companies without adequate safeguards, violating HIPAA. The hospital agreed to pay $300,000 and implement enhanced privacy policies, data deletion, and regular audits.
$300K
US Radiology Specialists, Inc. failed to upgrade its firewall, leading to a ransomware attack that compromised the personal and health data of over 198,000 patients, including 92,000 New Yorkers. The company agreed to pay $450,000 in penalties and implement comprehensive data security measures, including encryption and data deletion policies.
$450K
New York Attorney General Letitia James secured a $350,000 settlement from Personal Touch Holding Corporation for failing to protect patient and employee data. A ransomware attack in January 2021 compromised the personal and medical information of approximately 316,845 New Yorkers due to inadequate security measures. As part of the agreement, Personal Touch must pay penalties, enhance its cybersecurity program, and provide free credit monitoring to affected individuals.
$350K
All data sourced from official government enforcement pages.