1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,285
Total Actions
14
Jurisdictions
$35.3B+
Total Fines Tracked
New York Attorney General Letitia James secured a $500,000 settlement with orthopedics practice OrthopedicsNY, LLP for failing to implement adequate data security measures, leading to a 2023 cyberattack that exposed personal and health information of approximately 656,000 patients and employees. The settlement requires OrthopedicsNY to pay the penalty, fund one year of free credit monitoring for affected individuals, and adopt enhanced data security practices including multifactor authentication, encryption, and annual risk assessments.
$500K
New York, California, and Connecticut attorneys general reached a $5.1 million settlement with educational technology company Illuminate Education, Inc. for failing to protect student data, resulting in a 2022 breach exposing millions of students’ personal information. The investigation found Illuminate failed to implement basic security measures including data encryption, suspicious activity monitoring, and proper decommissioning of inactive user accounts, and did not delete student data when required by contracts. Illuminate must pay the penalty and implement enhanced data security measures including a comprehensive information security program, encryption of student data, and annual notice to schools about data collection and deletion options.
$5.1M
New York Attorney General Letitia James settled with public accounting firm Wojeski & Company over two data breaches in 2023 and 2024 that exposed personal information of over 4,700 New York residents, including social security numbers and medical benefits. The firm failed to implement adequate data security measures, did not encrypt sensitive data, and delayed notifying affected consumers of the breaches for over a year. Wojeski must pay $60,000 in penalties and implement enhanced cybersecurity measures including encryption, incident response plans, and employee training.
$60K
New York Attorney General Letitia James secured $14.2 million in settlements from eight car insurance companies for failing to implement reasonable data security controls, leading to data breaches that exposed over 825,000 New Yorkers' personal information including driver's license numbers and dates of birth. Hackers exploited vulnerabilities in the companies' online quoting tools to steal the data, which was later used to file fraudulent unemployment claims during the COVID-19 pandemic. The settlements require the companies to pay penalties and implement enhanced cybersecurity measures including data inventory maintenance, multifactor authentication, and improved threat response procedures.
$14.2M
New York Attorney General Letitia James secured $14.2 million in settlements from eight car insurance companies for failing to protect consumers' personal information. The companies' inadequate cybersecurity allowed hackers to steal driver's license numbers and other data through online quoting tools, impacting over 825,000 New Yorkers. The settlements require the companies to pay penalties and implement enhanced data security measures.
$14.2M
New York Attorney General Letitia James reached a $975,000 settlement with Root Insurance Company over a data breach that exposed the personal information of approximately 45,000 New York residents. The breach, discovered in January 2021, stemmed from Root’s inadequate data security measures, including unencrypted driver’s license numbers in quote PDFs and insufficient controls against automated attacks. In addition to the monetary penalty, Root must implement enhanced data security measures including a comprehensive information security program, data inventory, and monitoring systems.
$975K
New York Attorney General Letitia James filed a lawsuit against National General and Allstate Insurance Company for two data breaches in 2020 and 2021 that exposed the driver’s license numbers of over 165,000 New York residents. The AG alleges National General failed to implement reasonable data security measures, did not notify consumers or state agencies of the first breach, and left systems vulnerable to a second larger breach after Allstate took over data security operations. The AG is seeking monetary penalties and an injunction to prevent further violations.
New York Attorney General Letitia James led a coalition of 11 other attorneys general in filing a lawsuit against the Trump administration for illegally granting Elon Musk and DOGE unauthorized access to the Treasury Department’s central payment system, exposing Social Security numbers, bank account information, and other private data of tens of millions of Americans. A federal judge granted a temporary restraining order on February 8, 2025, blocking access and ordering destruction of all obtained records, with the coalition seeking a preliminary injunction to continue the bar on unauthorized access.
New York Attorney General Letitia James settled with auto insurance company Noblr for $500,000 over a data breach that exposed personal information of approximately 80,000 New York residents. The breach, discovered in January 2021, was caused by Noblr’s failure to implement reasonable data security safeguards, including exposing plaintext driver’s license numbers and failing to monitor site traffic for malicious activity. In addition to the monetary penalty, Noblr must enhance its data security program, implement monitoring systems, and maintain a data inventory of private information.
$500K
New York Attorney General Letitia James secured a $550,000 settlement from Hudson Valley health care operator HealthAlliance over a 2023 data breach that compromised the personal and medical information of 242,641 New Yorkers. The breach occurred after HealthAlliance failed to patch a known vulnerability in its web application system, allowing cyberattackers to exfiltrate patient and employee data. As part of the settlement, HealthAlliance must pay the penalty and implement enhanced cybersecurity measures including a comprehensive security program, patch management policy, and data inventory requirements.
$550K
GEICO and Travelers were fined $11.3 million for data breaches that exposed personal information of over 120,000 New Yorkers due to inadequate cybersecurity. The breaches involved driver's license numbers being stolen and used in fraudulent unemployment claims. The settlements mandate enhanced security measures and penalties.
$11.3M
New York Attorney General Letitia James and New York State Department of Financial Services (DFS) Superintendent Adrienne Harris settled with auto insurers GEICO and Travelers for $11.3 million combined over data breaches that exposed over 120,000 New Yorkers’ personal information, including driver’s license numbers and dates of birth. The breaches stemmed from insufficient data security controls, allowing hackers to steal information and file fraudulent unemployment claims during the COVID-19 pandemic. The settlements require the companies to pay penalties and implement enhanced cybersecurity measures including comprehensive information security programs, data inventories, and improved access controls.
$11.3M
New York Attorney General Letitia James reached a $250,000 settlement with National Amusements, Inc. after an investigation found the movie theater operator failed to implement adequate data security, leading to a breach exposing personal information of over 23,000 New York employees. The company also violated the New York Shield Act by delaying notification to affected individuals for more than a year after the breach. As part of the settlement, National Amusements must pay the penalty and implement enhanced cybersecurity measures including encryption, password policies, and an incident response plan.
$250K
New York Attorney General Letitia James reached a settlement with Albany ENT & Allergy Services (AENT) over two 2023 ransomware attacks that compromised the medical records of over 200,000 New Yorkers. The OAG found AENT failed to maintain reasonable data security safeguards, inadequately oversaw third-party security vendors, and initially failed to disclose all exposed consumer data to the state. AENT will pay $1 million in penalties (with $500,000 suspended pending $2.25 million in security investments) and implement comprehensive data security measures including encryption, multi-factor authentication, and vendor oversight.
$1.0M
A multistate coalition of 50 attorneys general led by New York AG Letitia James reached a $52 million settlement with Marriott International, Inc. over a 2014-2018 data breach of its Starwood subsidiary’s guest reservation database that exposed 131.5 million consumers’ personal information. The breach, which went undetected for four years, compromised contact details, dates of birth, passport numbers, payment card information, and loyalty program data. Marriott is required to overhaul its data security practices, implement new compliance measures, and allow customers to delete their stored data as part of the settlement.
$52.0M
New York Attorney General Letitia James, along with the Attorneys General of Connecticut and New Jersey, settled with Enzo Biochem, Inc. for $4.5 million over a 2023 ransomware attack that exposed health and personal data of 2.4 million patients, including 1.4 million New York residents. The investigation found Enzo had inadequate data security practices, including shared employee login credentials, lack of multi-factor authentication, no suspicious activity monitoring, and unencrypted personal information. As part of the settlement, Enzo will pay the penalty and implement enhanced cybersecurity measures including MFA, encryption, risk assessments, and an incident response plan.
$4.5M
Morgan Stanley failed to properly decommission computer devices containing unencrypted customer data, leading to the sale of devices with personal information at auction and missing servers with potential data. A multistate coalition secured a $6.5 million settlement requiring Morgan Stanley to implement enhanced data security measures.
$6.5M
US Radiology Specialists, Inc. failed to upgrade its firewall, leading to a ransomware attack that compromised the personal and health data of over 198,000 patients, including 92,000 New Yorkers. The company agreed to pay $450,000 in penalties and implement comprehensive data security measures, including encryption and data deletion policies.
$450K
New York Attorney General Letitia James secured a $350,000 settlement from Personal Touch Holding Corporation for failing to protect patient and employee data. A ransomware attack in January 2021 compromised the personal and medical information of approximately 316,845 New Yorkers due to inadequate security measures. As part of the agreement, Personal Touch must pay penalties, enhance its cybersecurity program, and provide free credit monitoring to affected individuals.
$350K
Marymount Manhattan College suffered a data breach in 2021 affecting 99,097 New Yorkers. The New York Attorney General found that MMC failed to secure its network infrastructure and update security policies. As part of the agreement, MMC must invest $3.5 million over six years to improve data encryption, enable multi-factor authentication, and implement other security measures.
All data sourced from official government enforcement pages.