1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,285
Total Actions
14
Jurisdictions
$35.3B+
Total Fines Tracked
Kenneth Young Center (Healthcare Provider, IL) reported a HIPAA breach affecting 6,842 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Medical Express Ambulance Inc. D/B/A Medex Ambulance (Healthcare Provider, IL) reported a HIPAA breach affecting 121,190 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
United Seating and Mobility, L.L.C., d/b/a Numotion (Healthcare Provider, TN) reported a HIPAA breach affecting 602,265 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
AMERICAN RENAL MANAGEMENT (Business Associate, TN) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Empath-Stratum Inc. doing business as Empath Health (Healthcare Provider, FL) reported a HIPAA breach affecting 5,545 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Therapeutic Health Services (Healthcare Provider, WA) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Kootenai Health (Healthcare Provider, ID) reported a HIPAA breach affecting 464,088 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Medical Billing Specialists, Inc. (Business Associate, MA) reported a HIPAA breach affecting 43,673 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
NorthBay Healthcare Corporation (Healthcare Provider, CA) reported a HIPAA breach affecting 569,012 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Cumberland Heights Foundation, Inc. (Healthcare Provider, TN) reported a HIPAA breach affecting 5,078 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
The FTC settled with telehealth firm Cerebral, Inc. for sharing sensitive consumer mental health data with third parties like LinkedIn, Snapchat, and TikTok for advertising without proper consent, employing sloppy security practices, and misleading consumers about cancellation policies. Cerebral must pay over $7 million (with $2 million due upfront), is permanently banned from using health information for most advertising, must implement a comprehensive privacy program, delete unnecessary data, and provide easy cancellation.
$7.0M
Gaia Software, LLC (Business Associate, CO) reported a HIPAA breach affecting 56,676 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
UNC Hospitals (Healthcare Provider, NC) reported a HIPAA breach affecting 3,142 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Delta Health System (Healthcare Provider, MS) reported a HIPAA breach affecting 216,532 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Connecticut Attorney General William Tong joined a bipartisan coalition of 41 attorneys general in sending a letter to Meta Platforms, Inc. to address the rising number of Facebook and Instagram account takeovers by scammers. The coalition criticizes Meta's inadequate security measures and calls for improved protections including multi-factor authentication, increased staffing for response, and stronger enforcement against scammers. The letter urges Meta to take immediate action to safeguard user accounts from hijacking and fraud.
A bipartisan coalition of 41 attorneys general, led by Illinois Attorney General Kwame Raoul, sent a letter to Meta Platforms Inc. calling for improved data security practices to protect users from account takeovers by scammers. The coalition cites a dramatic increase in account takeover complaints and urges Meta to increase staffing, implement multi-factor authentication, and take stronger enforcement actions against scammers.
The FTC settled with data brokers X-Mode Social and Outlogic for selling precise location data without informed consent and failing to protect sensitive information. The proposed order bans the sale of sensitive location data, requires deletion of collected data, and mandates a comprehensive privacy program. This is the FTC's first action against a data broker for sensitive location data practices.
Refuah Health Center, Inc. failed to implement adequate data security measures, leading to a ransomware attack that compromised the personal and health information of approximately 250,000 New Yorkers. The New York Attorney General reached a settlement requiring Refuah to invest $1.2 million in cybersecurity improvements and pay $450,000 in penalties.
$450K
The FTC has proposed amendments to the COPPA Rule to enhance children's privacy protections. Key changes include requiring separate parental consent for targeted advertising, prohibiting conditioning access on data collection, limiting push notifications, strengthening data security and retention requirements, and restricting commercial use in educational technology. The proposal shifts responsibility from parents to companies to safeguard children's data.
The FTC settled charges that Rite Aid deployed AI facial recognition technology in hundreds of stores from 2012 to 2020 without reasonable safeguards, resulting in false-positive matches that disproportionately harmed women and people of color. The proposed order bans Rite Aid from using facial recognition for surveillance for five years and requires comprehensive biometric data safeguards, data deletion, consumer notifications, and a certified security program.
The FTC proposed a consent order against Global Tel*Link Corp. for failing to secure sensitive user data, leading to a breach affecting nearly 650,000 consumers, and for delaying notification for about nine months. The order requires the company to implement a comprehensive security program, notify affected users with credit monitoring, and report future breaches promptly.
New Jersey Attorney General Matthew Platkin announced a multistate settlement where Morgan Stanley will pay $1.27 million to NJ over data security incidents that compromised personal information of over 755,000 NJ residents and millions nationwide. The incidents involved improper decommissioning of devices and a software flaw, leading to unauthorized access. The settlement requires Morgan Stanley to strengthen its data security and disposal procedures.
$1.3M
Morgan Stanley failed to properly decommission computer devices containing unencrypted customer data, leading to the sale of devices with personal information at auction and missing servers with potential data. A multistate coalition secured a $6.5 million settlement requiring Morgan Stanley to implement enhanced data security measures.
$6.5M
US Radiology Specialists, Inc. failed to upgrade its firewall, leading to a ransomware attack that compromised the personal and health data of over 198,000 patients, including 92,000 New Yorkers. The company agreed to pay $450,000 in penalties and implement comprehensive data security measures, including encryption and data deletion policies.
$450K
New York Attorney General Letitia James secured a $350,000 settlement from Personal Touch Holding Corporation for failing to protect patient and employee data. A ransomware attack in January 2021 compromised the personal and medical information of approximately 316,845 New Yorkers due to inadequate security measures. As part of the agreement, Personal Touch must pay penalties, enhance its cybersecurity program, and provide free credit monitoring to affected individuals.
$350K
Blackbaud, a software company, experienced a ransomware attack in 2020 that exposed sensitive personal information, including protected health data, due to inadequate security practices and delayed breach notification. A multistate investigation resulted in a $49.5 million settlement, requiring Blackbaud to enhance data security, implement breach response plans, and undergo third-party assessments.
$49.5M
Blackbaud, a cloud company providing donor management software, experienced a 2020 data breach exposing personal information of millions of donors through its nonprofit customers. A multistate investigation found Blackbaud failed to implement adequate data security and delayed breach notifications. As a result, Blackbaud agreed to pay $49.5 million and overhaul its security practices.
$49.5M
Marymount Manhattan College suffered a data breach in 2021 affecting 99,097 New Yorkers. The New York Attorney General found that MMC failed to secure its network infrastructure and update security policies. As part of the agreement, MMC must invest $3.5 million over six years to improve data encryption, enable multi-factor authentication, and implement other security measures.
The FTC finalized an order against 1Health.io for failing to secure genetic data and unfairly changing its privacy policy. The company must pay $75,000 for consumer refunds, destroy DNA samples, and implement security measures. It deceived consumers about data deletion and shared data without proper consent.
$75K
Connecticut Attorney General William Tong launched a consumer protection investigation into Hyundai and Kia for failing to equip vehicles with standard anti-theft immobilizers between 2011 and 2022, leading to high theft rates and public safety concerns. The investigation seeks records on the companies' decision-making and potential fixes, following a coalition of attorneys general calling for a federal recall.
All data sourced from official government enforcement pages.