Rising Regulatory and Governance Pressure on Data Protection and Cybersecurity
European regulators issued roughly €1.2B in GDPR fines in 2025 and received an average of 443 personal data breach notifications per day, signaling increased enforcement and reporting volume alongside overlapping disclosure regimes such as NIS2 and DORA. Ireland remained a leading enforcement authority, including a €530M fine against TikTok, while large technology firms continued to account for most of the largest penalties; cumulative GDPR penalties since 2018 were reported at €7.1B.
In the U.S., an HHS Office of Inspector General management challenges report highlighted persistent federal healthcare cybersecurity gaps, including inconsistent governance and controls across HHS divisions and heavy dependence on contractors and grantees to implement security measures—conditions that complicate prevention and response as ransomware and other attacks continue to target healthcare. Separately, an academic study on insider risk reported that 58% of surveyed college students in technology-related programs said they would violate HIPAA and disclose patient data for sufficient payment, underscoring the human/insider threat dimension that can drive breach risk and downstream regulatory exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
HHS-OIG publishes annual report on HHS cybersecurity challenges
The HHS Office of Inspector General published its annual 'Top Management and Performance Challenges Facing HHS' report, highlighting persistent cybersecurity weaknesses across HHS, including inconsistent governance, contractor oversight issues, legacy technology, and workforce constraints. The report also warned that HIPAA's aging Privacy and Security Rules may be inadequate for current threats and noted slow progress on updating them.
European GDPR fines reach about £1 billion in 2025
GDPR enforcement activity increased during 2025, with total fines across Europe reaching about £1 billion (€1.2 billion). Regulators also received an average of 443 personal data breach notifications per day, the first time daily notifications exceeded 400 since GDPR began.
Ireland issues €530 million GDPR fine to TikTok
In 2025, Ireland was the leading GDPR enforcer and issued a €530 million fine to TikTok, one of the year's most significant enforcement actions.
Meta receives record €1.2 billion GDPR fine
European regulators imposed a €1.2 billion GDPR fine on Meta, which remained the largest penalty on record as of the 2026 reporting. The SC Media reference describes this as having occurred two years earlier.
GDPR takes effect across Europe
The EU General Data Protection Regulation came into force in May 2018, establishing mandatory personal data breach notification requirements and a new enforcement regime across Europe.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Regulatory Reporting and Healthcare Data Breaches Highlight Rising Compliance Pressure
European regulators issued about **€1.2B in GDPR fines in 2025** and received an average of **443 personal data breach notifications per day**, according to DLA Piper’s GDPR Fines and Data Breach Survey. The report attributes the sustained reporting surge to multiple factors—geopolitical instability, repeated cyber incidents, and commoditized attack tooling—while warning that organizations are also contending with overlapping and faster disclosure expectations under newer regimes such as **NIS2** and **DORA**, increasing operational and management-level accountability pressure. In the US healthcare sector, HHS **OCR** used its 2026 quarterly cybersecurity newsletter to urge **HIPAA-regulated entities** to harden systems, standardize security controls, reduce attack surface, and strengthen **risk analysis and risk management**, signaling continued enforcement focus on Security Rule compliance. Separately, OCR breach-portal reporting showed **unusually low counts** of large healthcare breaches in October–November 2025 that likely reflect a **government shutdown backlog** rather than a true decline, while individual incidents continued to surface—**Central Maine Healthcare** reported unauthorized network access from **March–June 2025** affecting up to **145,000** individuals, with exposed data including **names and Social Security numbers** plus treatment/insurance-related information and credit monitoring offered to impacted patients.
Mar 21, 2026
Regulatory Reporting Highlights Rising GDPR Enforcement and U.S. Healthcare Breach Disclosures
European privacy regulators issued roughly **€1.2B in GDPR fines in 2025** and received an average of **443 personal data breach notifications per day** (a reported 22% increase year over year), according to DLA Piper’s GDPR Fines and Data Breach Survey as cited by DataBreaches.net. The reporting indicates sustained enforcement since GDPR’s introduction, with cumulative penalties reaching **€7.1B** since 2018, alongside a continued high volume of breach notifications to data protection authorities. In the U.S. healthcare sector, HIPAA Journal reported that **November 2025** showed unusually low counts of large breaches listed on the HHS OCR breach portal (**32 incidents affecting 500+ individuals**), but attributed the apparent decline to reporting delays during the **U.S. government shutdown (Oct 1–Nov 12, 2025)** and a resulting backlog. Separately, Central Maine Healthcare disclosed a breach affecting **~145,000 individuals**, with unauthorized network access occurring between **Mar 19 and Jun 1, 2025** and exposure of data including **names and Social Security numbers** plus clinical/insurance details; notifications began in late December 2025 and credit monitoring was offered.
Mar 21, 2026
Regulatory Enforcement and Penalty Updates for Privacy Violations
Regulators and courts continued to impose and update financial consequences for privacy violations across major regimes. In the EU, GDPR enforcement remained significant, with cumulative fines since 2018 reaching **€7.1B** and annual totals around **€1.2B**, while Ireland’s Data Protection Commission continued to lead enforcement totals due to the EU headquarters of major US tech firms; notable penalties cited include **€1.2B** against **Meta Platforms Ireland Ltd.** and **€530M** against **TikTok** for alleged transfers of EU user data to China. In the US, Apple began issuing payments under a **$95M** settlement tied to allegations that **Siri** captured private conversations and that data was used for advertising, with per-device payouts reported as variable and capped (up to five devices per claimant). Separately, the US Department of Health and Human Services’ Office for Civil Rights implemented an inflation-based increase to **HIPAA** civil monetary penalties effective immediately, updating tiered per-violation minimums and maximums and noting the adjustment was applied later than the statutory schedule required under the federal inflation adjustment framework.
Mar 21, 2026