Regulatory Enforcement and Penalty Updates for Privacy Violations
Regulators and courts continued to impose and update financial consequences for privacy violations across major regimes. In the EU, GDPR enforcement remained significant, with cumulative fines since 2018 reaching €7.1B and annual totals around €1.2B, while Ireland’s Data Protection Commission continued to lead enforcement totals due to the EU headquarters of major US tech firms; notable penalties cited include €1.2B against Meta Platforms Ireland Ltd. and €530M against TikTok for alleged transfers of EU user data to China.
In the US, Apple began issuing payments under a $95M settlement tied to allegations that Siri captured private conversations and that data was used for advertising, with per-device payouts reported as variable and capped (up to five devices per claimant). Separately, the US Department of Health and Human Services’ Office for Civil Rights implemented an inflation-based increase to HIPAA civil monetary penalties effective immediately, updating tiered per-violation minimums and maximums and noting the adjustment was applied later than the statutory schedule required under the federal inflation adjustment framework.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
HHS raises HIPAA civil monetary penalties for inflation
HHS' Office for Civil Rights increased HIPAA civil monetary penalties effective January 28, 2026, applying the overdue 2025 inflation adjustment. Updated penalty tiers range from a $145 minimum per violation up to $73,011 per violation, with annual caps reaching $2,190,294 depending on the tier.
Apple begins issuing Siri settlement payments to claimants
Payments tied to Apple's $95 million Siri settlement began appearing in claimants' accounts, reportedly labeled 'Lopez v. Apple.' Reports said payouts started appearing on January 23, 2026, with awards capped at $20 per device but sometimes reduced when multiple devices were claimed.
Deadline passes for Apple Siri settlement claims
The deadline to file claims in the Apple Siri settlement was July 2, 2025. Eligible claimants were owners of Siri-enabled Apple devices used between September 17, 2014 and December 31, 2024, with up to five devices per claimant.
TikTok fined €530 million over China data transfers
TikTok Technology Ltd. was fined €530 million in April 2025 for transferring personal user data to China. The penalty was cited as one of the major recent GDPR enforcement actions.
HHS misses statutory deadline for 2025 HIPAA inflation adjustment
The Department of Health and Human Services did not apply the required 2025 inflation adjustment to HIPAA civil monetary penalties by the January 17, 2025 deadline set under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The adjustment was later described as more than a year overdue.
Meta receives record €1.2 billion GDPR fine
European regulators imposed a €1.2 billion GDPR fine on Meta Platforms Ireland Ltd., identified in the reporting as the largest GDPR penalty to date. The fine contributed significantly to Ireland's leading enforcement total under the GDPR.
Lawsuit filed against Apple over Siri eavesdropping allegations
A lawsuit was filed in California alleging Siri unlawfully recorded private conversations and that the data was used for advertising purposes. Apple denied wrongdoing but later agreed to settle the case to avoid further litigation.
The Guardian reports Apple contractors reviewed Siri recordings
Reporting in 2019 revealed that Apple used subcontractors to review Siri recordings and that accidental activations sometimes captured sensitive private conversations. The disclosures became a key basis for later litigation over alleged unlawful recording and use of Siri data.
GDPR takes effect across the European Union
The EU General Data Protection Regulation came into force, establishing the enforcement regime under which European data protection authorities have since issued billions of euros in fines. DLA Piper said cumulative GDPR fines have reached €7.1 billion since May 2018.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Reports of GDPR violations have risen sharply | CSO Online
csoonline.com
Open source$95M Payout: Apple Begins Compensating Users in Siri Eavesdropping Case
techrepublic.com
Open sourceHHS Applies Inflation Increase to Penalties for HIPAA Violations
hipaajournal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Rising Regulatory and Governance Pressure on Data Protection and Cybersecurity
European regulators issued roughly **€1.2B** in **GDPR** fines in 2025 and received an average of **443 personal data breach notifications per day**, signaling increased enforcement and reporting volume alongside overlapping disclosure regimes such as **NIS2** and **DORA**. Ireland remained a leading enforcement authority, including a **€530M** fine against **TikTok**, while large technology firms continued to account for most of the largest penalties; cumulative GDPR penalties since 2018 were reported at **€7.1B**. In the U.S., an **HHS Office of Inspector General** management challenges report highlighted persistent federal healthcare cybersecurity gaps, including inconsistent governance and controls across HHS divisions and heavy dependence on contractors and grantees to implement security measures—conditions that complicate prevention and response as ransomware and other attacks continue to target healthcare. Separately, an academic study on insider risk reported that **58%** of surveyed college students in technology-related programs said they would violate **HIPAA** and disclose patient data for sufficient payment, underscoring the human/insider threat dimension that can drive breach risk and downstream regulatory exposure.
Mar 21, 2026
Regulatory Reporting Highlights Rising GDPR Enforcement and U.S. Healthcare Breach Disclosures
European privacy regulators issued roughly **€1.2B in GDPR fines in 2025** and received an average of **443 personal data breach notifications per day** (a reported 22% increase year over year), according to DLA Piper’s GDPR Fines and Data Breach Survey as cited by DataBreaches.net. The reporting indicates sustained enforcement since GDPR’s introduction, with cumulative penalties reaching **€7.1B** since 2018, alongside a continued high volume of breach notifications to data protection authorities. In the U.S. healthcare sector, HIPAA Journal reported that **November 2025** showed unusually low counts of large breaches listed on the HHS OCR breach portal (**32 incidents affecting 500+ individuals**), but attributed the apparent decline to reporting delays during the **U.S. government shutdown (Oct 1–Nov 12, 2025)** and a resulting backlog. Separately, Central Maine Healthcare disclosed a breach affecting **~145,000 individuals**, with unauthorized network access occurring between **Mar 19 and Jun 1, 2025** and exposure of data including **names and Social Security numbers** plus clinical/insurance details; notifications began in late December 2025 and credit monitoring was offered.
Mar 21, 2026
Healthcare and consumer privacy litigation over alleged improper data access and collection
Multiple legal actions highlighted ongoing **privacy and data-protection risk** across healthcare and consumer platforms. Epic Systems sued health information exchange implementer **Health Gorilla** and several provider organizations, alleging improper access to roughly **300,000 patients’ records** and claiming some participants abused interoperability frameworks (including **Carequality** and **TEFCA**) to obtain and monetize sensitive health data without appropriate consent or authorization. Separately, pharmacy services provider **PharMerica** agreed to a **$5.2 million** class-action settlement tied to a **2023** hacking incident attributed to the **Money Message** ransomware group, which claimed exfiltration of **4.7 TB** and later leaked data affecting **5.8 million** people (including SSNs and medication/insurance details), alongside commitments to invest further in security. Outside healthcare, California’s Attorney General opened a probe into **xAI** after **Grok** was used to generate and post non-consensual sexualized deepfakes, while Google agreed to pay **$8.25 million** to settle claims that its **AdMob SDK** collected data from children’s devices in “Designed for Families” apps in alleged violation of **COPPA**; a separate YouTube children’s-data settlement was also noted. A HIPAA Privacy Rule update was also reported as moving closer to finalization following an HHS OCR tribal consultation notice, but it is a regulatory development rather than a specific incident.
Mar 21, 2026