1,285 enforcement actions from 14 federal and state jurisdictions. Every event traced back to its official government source.
1,285
Total Actions
14
Jurisdictions
$35.3B+
Total Fines Tracked
Datamasters, a data broker, failed to register with the California Data Broker Registry as required by the Delete Act. The company sold sensitive personal information including health conditions, age, race, and political views. As a result, it must pay a $45,000 fine and cease all sales of Californians' personal information.
$45K
Pit River Health Service Inc. (Healthcare Provider, CA) reported a HIPAA breach affecting 1,800 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Methodist Homes of Alabama and Northwest Florida (Healthcare Provider, AL) reported a HIPAA breach affecting 1,406 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Virginia Attorney General Jay Jones announced intent to enforce new provisions of the Virginia Consumer Data Protection Act that limit minors' social media usage to one hour per day without parental consent. The law, effective January 1, 2026, requires age verification and verifiable parental consent to change time limits, with potential penalties up to $7,500 per violation and injunctive relief. This follows a motion to dismiss a lawsuit by NetChoice challenging the law.
Andover Eye Associates (Healthcare Provider, MA) reported a HIPAA breach affecting 1,638 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Steel Encounters, Inc. (Healthcare Provider, UT) reported a HIPAA breach affecting 959 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Advanced Healthcare Professionals (Healthcare Provider, TX) reported a HIPAA breach affecting 800 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
The Connecticut Attorney General reached an agreement with Hartford Healthcare to address antitrust concerns in the acquisition of Manchester Memorial and Rockville General hospitals from Prospect Medical. The agreement includes conditions to limit cost increases, waive physician non-compete clauses, and maintain medical staff privileges to protect competition and physician mobility. This resolves the antitrust review under the state's notice of material change statute.
Associated Radiologists of the Finger Lakes, P.C. (Business Associate, NY) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Exact Sciences Laboratories LLC (Healthcare Provider, WI) reported a HIPAA breach affecting 2,658 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Docs Medical Group, Inc. dba Pulse Urgent Care (Healthcare Provider, CA) reported a HIPAA breach affecting 4,035 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
CareOregon (Health Plan, OR) reported a HIPAA breach affecting 5,473 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
BlueCross BlueShield of Tennessee, Inc. (Business Associate, TN) reported a HIPAA breach affecting 780 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Email.
Glendale Obstetrics & Gynecology PCA (Healthcare Provider, AZ) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Health and civil rights enforcement action. Oregon Attorney General Dan Rayfield led a coalition of 19 states and the District of Columbia in filing a lawsuit against the U.S. Department of Health and Human Services (HHS). The suit challenges a December 18, 2025 HHS 'declaration' that claims certain gender-affirming care is 'unsafe and ineffective' and threatens to exclude providers from Medicare/Medicaid for offering such care. The attorneys general argue HHS violated federal administrative law by implementing a major policy change without required notice-and-comment rulemaking, creating fear for patients and providers and threatening state Medicaid programs.
Connecticut Attorney General William Tong, leading a coalition of 35 attorneys general, urged Meta to enforce its policies against misleading AI-generated weight loss ads on Instagram and Facebook. The ads promote non-FDA approved GLP-1 drugs without disclosing risks and use fake AI content. The coalition demands Meta restrict such ads, require clear risk disclosures, and label AI-generated content.
York Hospital (Healthcare Provider, ME) reported a HIPAA breach affecting 1,259 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Paper/Films.
Riverland Community Health (Healthcare Provider, MN) reported a HIPAA breach affecting 940 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Network Server.
Attorney General William Tong joined a coalition of 21 states and D.C. in suing the Trump administration to prevent the defunding of the Consumer Financial Protection Bureau (CFPB). The lawsuit argues that the defunding is unlawful and would cripple consumer protection efforts and state enforcement capabilities. The coalition seeks a court order to ensure CFPB continues to receive funding and fulfill its duties.
HAP (Health Alliance Plan) (Health Plan, MI) reported a HIPAA breach affecting 1,059 individuals. Breach type: Hacking/IT Incident. Location of breached information: Email.
Attorney General William Tong led a coalition of 15 attorneys general in submitting a comment letter to the EPA opposing the Trump Administration's proposal to roll back PFAS reporting requirements under the Toxic Substances Control Act. The coalition argues that the exemptions would shield most manufacturers from reporting critical information about PFAS chemicals, hindering efforts to protect public health and the environment.
Chicago Cosmetic Surgery and Dermatology (Healthcare Provider, IL) reported a HIPAA breach affecting 700 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
TapestryHealth (Healthcare Provider, CT) reported a HIPAA breach affecting 6,494 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Other.
Howard Brown Health (Healthcare Provider, IL) reported a HIPAA breach affecting 8,357 individuals. Breach type: Hacking/IT Incident. Location of breached information: Electronic Medical Record.
Mitchell County Department of Social Services (Healthcare Provider, NC) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Reproductive Medicine Associates of Michigan (Healthcare Provider, MI) reported a HIPAA breach affecting 501 individuals. Breach type: Hacking/IT Incident. Location of breached information: Network Server.
Anesthesiology & Pain Consultants, LLC (Healthcare Provider, LA) reported a HIPAA breach affecting 538 individuals. Breach type: Unauthorized Access/Disclosure. Location of breached information: Other Portable Electronic Device.
Texas Attorney General Ken Paxton filed a lawsuit against Sony, Samsung, LG, Hisense, and TCL Technology Group for using Automated Content Recognition (ACR) technology to collect Texans' viewing data without proper consent. A temporary restraining order was secured against Hisense to halt all data collection and sharing. The AG issued a consumer alert with instructions to disable ACR on smart TVs.
The California Privacy Protection Agency fined ROR Partners LLC $56,600 for failing to register as a data broker under the Delete Act. The Nevada-based marketing firm must pay the fine and past-due fees. This action is part of CalPrivacy's enforcement against unregistered data brokers.
$57K
CalPrivacy issued Enforcement Advisory No. 2025-01 to remind data brokers of their annual registration obligations under California's Delete Act, including disclosing all trade names and websites and registering independently rather than through a parent company. The advisory warns that failures to comply may result in administrative fines of $200 per day, plus fees and recovery costs. It also highlights the upcoming Delete Request and Opt-Out Platform (DROP) launching January 1, 2026.
All data sourced from official government enforcement pages.