This Week in Privacy: May 18-24, 2026

The healthcare sector bore the brunt of this week's privacy disasters, with breaches exposing everything from patient records to biometric data. Meanwhile, Google agreed to pay $135 million to settle claims it secretly siphoned data from Android phones, and Texas launched an aggressive legal campaign challenging the privacy promises of major tech platforms.

Top Stories

Google to Pay $135 Million for Secret Android Data Collection

Google settled a major class action lawsuit for $135 million over allegations that it collected data from Android devices without user consent between November 2017 and now. The lawsuit claimed Google caused phones to transfer information and consume cellular data without permission, essentially turning millions of devices into involuntary data transmitters. A preliminary settlement reached in January awaits final approval on June 23. The case highlights how operating system makers can exploit their control over device behavior to harvest data, even when users haven't explicitly agreed to such collection.

Healthcare Data Breaches Expose Millions

This week saw two devastating healthcare breaches that underscore the vulnerability of medical records. German university hospitals lost patient data for over 100,000 people when hackers breached Unimed, a third-party billing provider, in mid-April. The stolen information includes names, addresses, and in roughly 2,000 cases, detailed health records linked to specific diagnoses and treatments.

Closer to home, NYC Health + Hospitals revealed that a cyberattack running from November 2025 through February 2026 compromised data for at least 1.8 million individuals. Hackers accessed the nation's largest public health system through a compromised vendor and copied medical records, Social Security numbers, and even biometric data including fingerprints and palm prints. The breach stands as one of 2026's largest healthcare data incidents, demonstrating how third-party vendors create dangerous backdoors into sensitive medical information.

Texas Challenges Tech Giants on Privacy Claims

The Texas Attorney General launched an aggressive legal offensive this week, filing lawsuits that question whether major platforms are being honest about their privacy protections. Most notably, Texas sued Meta over WhatsApp, claiming the messaging app doesn't actually provide the end-to-end encryption it has publicly promised since 2016. The lawsuit relies on a Bloomberg report about a closed federal investigation that allegedly found Meta could view WhatsApp messages without limitation, directly contradicting CEO Mark Zuckerberg's 2018 sworn testimony to the Senate.

Texas also targeted Netflix, alleging the streaming service illegally collects viewing habits, device information, and behavioral data from users including children, then sells detailed consumer profiles to other companies. The lawsuit accuses Netflix of using deceptive disclosures about data collection and designing addictive features like autoplay that particularly impact children. Whether these lawsuits succeed or not, they signal growing state-level willingness to challenge tech companies' privacy representations directly.

In Brief

• Trump Mobile exposed customer data including names, addresses, and phone numbers through a third-party platform, discovered after customers found their own information publicly accessible online.

• Alera Group agreed to pay $2 million to settle claims it waited nearly two years to notify victims of a 2024 breach that exposed employee and client data.

• Beacon Mutual Insurance suffered a January ransomware attack affecting 162,000 people, including 4,500 Rhode Island state employees, with notifications finally going out in May.

• The FTC settled with Cox Media Group for nearly $1 million after the company falsely advertised an "Active Listening" service that supposedly collected audio from smart devices but actually just resold email lists.

• GitHub confirmed hackers accessed 3,800 internal code repositories after an employee's device was compromised through a malicious VS Code extension, with stolen code now being sold for $50,000.

• Canvas learning platform was breached by ShinyHunters, potentially exposing data for 275 million users at 9,000 educational institutions worldwide.

• Grafana Labs disclosed that hackers used a compromised GitHub token to steal source code and business contact information after the company missed rotating one authentication credential.

• Discord rolled out end-to-end encryption for all voice and video calls by default for 200 million monthly users, covering everything except stage channels designed for public broadcasts.

• 7-Eleven confirmed a breach after ShinyHunters claimed to have stolen over 600,000 records from the company's Salesforce system.

• Meta, YouTube, Snap, and TikTok settled with a Kentucky school district seeking compensation for social media-related student mental health harms, avoiding what would have been a precedent-setting trial.

The Big Picture

This week reveals two contradictory forces shaping digital privacy. On one hand, we're seeing genuine security improvements like Discord's comprehensive encryption rollout, showing that platforms can implement strong protections at scale. On the other, the cascade of healthcare breaches, delayed notifications, and fundamental questions about whether companies like WhatsApp and Netflix are being truthful about their privacy practices suggests a crisis of trust. The healthcare sector's repeated failures are particularly alarming because medical data carries permanent consequences for victims. Meanwhile, state attorneys general are stepping into the enforcement vacuum, willing to challenge even the biggest platforms on their core privacy claims. The question is whether lawsuits and settlements are enough, or whether we need fundamental changes to how companies handle data and how quickly they must disclose breaches.