This Week in Privacy: Mar 30 - Apr 5, 2026

The first week of April brought sweeping changes to how Meta handles user data, with both Facebook and Instagram transferring control from the US to Ireland while introducing new disclosures about AI data use. Meanwhile, a cascade of breaches demonstrated that healthcare remains one of the most vulnerable sectors, with hospitals from Hong Kong to Texas exposing patient records through both technical failures and insider threats.

Top Stories

Meta Shifts Data Control to Ireland, Adds AI Disclosures

In a major privacy policy overhaul on April 3, both Facebook and Instagram transferred their data controller role from Meta Platforms, Inc. to Meta Platforms Ireland Limited. The changes go beyond a simple corporate shuffle. The updated policies introduce new disclosures about how the platforms collect metadata from AI interactions and establish joint controller arrangements with Facebook Page administrators and business partners. Perhaps most significantly, combining data across Meta products through Accounts Center is now opt-in rather than automatic.

The revisions also removed previous language about combating racial bias against marginalized communities and restructured sections on legal basis and user rights. Instagram now requires mandatory age and gender information for account creation, making these data points non-negotiable for users who want accounts on the platform.

Dating App OkCupid Settles Over Unauthorized AI Data Sharing

OkCupid and its parent company Match Group settled with the Federal Trade Commission over allegations that in 2014, the dating platform shared three million user photos and location data with Clarifai, a facial recognition and AI company, without informing users. The FTC lawsuit alleges the sharing occurred because OkCupid's founders were financial investors in Clarifai, creating an undisclosed conflict of interest. Users were never given opt-out options, and the data sharing violated OkCupid's own privacy policy, which limited data sharing to service providers, not unrelated third parties. While the settlement includes no monetary penalty, it permanently prohibits the companies from misrepresenting their data collection practices.

Strava Heatmap Exposes Secret Military Installations

Strava's publicly accessible Global Heatmap, which visualizes GPS tracking data from over one billion user activities, inadvertently revealed the locations of secret US military bases and personnel movement patterns in conflict zones including Afghanistan and Syria. Military analysts discovered that jogging trails at forward operating bases were clearly visible on the map, allowing identification of facilities that don't appear on Google Maps. In remote locations where Strava users were predominantly US military personnel, the tracked activities became easily attributable to specific military installations, creating a significant operational security vulnerability.

Healthcare Breaches Continue to Mount

Hong Kong's Hospital Authority detected unauthorized access to patient data at 2am on April 3, affecting over 56,000 patients from Kowloon East cluster hospitals. The breach, traced to a contractor's system maintenance work, exposed names, ID numbers, dates of birth, and surgical procedure details. Meanwhile, Central Maine Healthcare revised its initial breach report from eight affected individuals to more than 145,000 people following a June 2025 incident. The compromised data may have included Social Security numbers and treatment information.

In Brief

• Threat group TeamPCP breached the European Commission's AWS environment using a stolen API key, exfiltrating 90GB of data including personal information from users across European Commission websites.
• Drift cryptocurrency exchange was hacked for approximately $285 million when attackers exploited a vulnerability in a new lending market feature.
• Italy's data protection authority fined Intesa Sanpaolo bank €31.8 million after an employee conducted over 6,600 unauthorized queries accessing 3,573 customers' banking data over two years.
• Microsoft consolidated its data retention policy, removing specific timelines like the 18-month de-identification period for Bing search queries and shifting to general statements about retaining data "as long as necessary."
• Google agreed to pay $68 million to settle a class action lawsuit alleging Google Assistant recorded users without intentional activation and disclosed recordings to third-party review vendors.
• UnitedHealth confirmed the Change Healthcare ransomware attack exposed health information potentially affecting a substantial proportion of people in America, with the company paying $22 million in ransom.
• Hong Kong's Tuen Mun Hospital incorrectly calibrated a medical testing machine for two years from 2013 to 2015, affecting nearly 10,000 patients who received test results interpreted against incorrect gender-based reference values.
• Apple Distribution International was fined £390,000 for making payments totaling over £635,000 to a Russian streaming service owned by a sanctioned company.
• A US District Judge remanded Reddit's lawsuit against Anthropic back to California state court, where Reddit alleges the AI company illegally scraped platform data.

The Big Picture

This week reveals how data privacy failures cut across every sector, from social media giants restructuring their legal frameworks to healthcare systems struggling with basic security hygiene. The common thread is inadequate oversight: whether it's fitness apps publishing military movements, contractors accessing hospital systems without proper controls, or dating platforms sharing millions of photos with AI companies because of undisclosed financial relationships. What's particularly concerning is the scale. We're seeing breaches affecting hundreds of thousands (Central Maine Healthcare, Hospital Authority) and even hundreds of millions (Change Healthcare), while policy changes at Meta affect billions. The normalization of these massive numbers suggests we've moved from treating data protection as a fundamental right to accepting widespread exposure as inevitable.