This Week in Privacy: Jun 15-21, 2026

This week saw a puzzling move by Meta platforms and a flurry of data breaches affecting millions across healthcare, finance, and government services. The contrast between policy rollbacks and enforcement actions painted a picture of a privacy environment still struggling to find consistency.

Top Stories

[Meta quietly scraps US privacy notices](https://privacywire.org/facebook/facebook-removed-references-to-a-separate-united-jun-2026) — Just days after adding prominent links to a separate United States Regional Privacy Notice, both Facebook and Instagram removed all references to these US-specific disclosures on June 20. The platforms had added the notices on June 15, directing American users to detailed information about their consumer privacy rights. Within five days, those callouts vanished from the table of contents, inline mentions, and dedicated sections. The core privacy policies remain unchanged, but the signposting that helped US residents understand their rights under state laws disappeared without explanation. The abrupt reversal raises questions about what changed internally at Meta in less than a week.

[Healthcare breaches expose millions](https://privacywire.org/industry/hcrg-care-group-a-major-private-provider-jun-2026) — The healthcare sector faced multiple major incidents this week. HCRG Care Group, which provides NHS community services across Kent and Surrey, suffered a ransomware attack that exposed over two terabytes of patient data after staff reported system issues on February 13, 2025. Meanwhile, iRhythm Holdings, a cardiac monitoring company, received ransom demands on June 9 after hackers used social engineering to steal patient health records and proprietary data. In a separate incident, pharmaceutical giant Novo Nordisk refused to pay a $25 million ransom after the FulcrumSec group spent two months inside its networks stealing 1.3 terabytes of data, including clinical trial information and employee records. These breaches underscore the continuing vulnerability of health data, whether held by device makers, research firms, or care providers.

[Ohio wins right to restrict kids' social media access](https://privacywire.org/industry/federal-appeals-court-ruled-that-ohio-can-jun-2026) — The 6th US Circuit Court of Appeals ruled 2-1 on June 18 that Ohio can enforce its Social Media Parental Notification Act, overturning a lower court injunction that had blocked the law since January 2024. The law requires platforms like Instagram, TikTok, YouTube, and Facebook to obtain parental consent before allowing users under 16 to create accounts. The appeals court found the age verification and consent requirements do not violate First Amendment protections, a decision that could influence similar legislative efforts in other states. Florida's attorney general filed suit against TikTok on June 15, alleging the platform allows children under 14 to create accounts and misleads parents by labeling violent, self-harm, and drug-related content as "mild" when it appears frequently and graphically.

[Fake breach notices infiltrate Maine's public database](https://privacywire.org/discord/maine-temporarily-disabled-its-public-data-breach-jun-2026) — Maine's Attorney General's Office temporarily shut down its public data breach notification portal on June 12 after discovering fraudulent filings had been automatically published. Unknown parties submitted fake disclosures impersonating Discord and VRChat, including a completely fabricated claim that VRChat suffered a breach affecting 2.4 million people. The fraudulent submissions used fictitious employee names and were posted without verification, highlighting a systemic vulnerability in automated breach disclosure systems that rely on good-faith reporting.

In Brief

• KerberRose Wealth Management suffered an April 29 breach affecting 27,000 clients, only disclosed publicly because some victims lived in states with mandatory reporting laws (Wisconsin has none).
• Hackers stole OAuth tokens from Klue, a market intelligence platform, to access customer Salesforce CRM instances and exfiltrate relationship data over 24 hours.
• Texas Parks & Wildlife Department exposed driver's license information, passport numbers, and contact details of more than 3 million people through a compromised license system vendor.
• 23andMe's bankruptcy administrator agreed to pay $46.75 million to settle claims from a 2023 breach that compromised genetic data of 6.9 million users.
• ShinyHunters breached Infinite Campus, stealing personal information of 137,000 school staff from the student information system provider's Salesforce instance.
• South Korea fined Coupang 623 billion won for a breach exposing 37.55 million people's data and unlawfully collecting browsing records of 11.17 million users.
• Vermont's governor signed comprehensive data privacy legislation that takes effect January 1, 2028, applying to businesses processing data of 35,000 or more state residents.
• Cybercriminals compromised over 30,000 Fortinet firewalls worldwide by exploiting weak or default passwords, not new vulnerabilities.
• Amazon is investigating three engineers who testified at Seattle city council hearings supporting AI data center construction regulations and renewable energy requirements.
• The FTC's lawsuit against Amazon alleging dark patterns in Prime enrollment moves toward a February 2025 non-jury trial after a judge rejected dismissal motions.

The Big Picture

This week illustrated the ongoing disconnect between privacy as policy and privacy as practice. Meta added and removed user-facing privacy notices within days, suggesting internal uncertainty about regulatory compliance strategies. Courts in Ohio and Florida pushed forward on child protection measures, while Vermont joined the growing list of states crafting comprehensive privacy frameworks. Yet none of these policy moves addressed the relentless stream of breaches, from healthcare providers to school systems to financial firms. The fraudulent Maine breach notices reveal another layer: even the infrastructure meant to inform the public about privacy failures can be manipulated. As states experiment with age verification and consent requirements, the basic work of securing stored data remains incomplete, leaving millions exposed regardless of what policies say on paper.