United States

Cerebral, a mental health telehealth company, was fined $7 million for sharing sensitive mental health information of approximately 3.2 million users — including conditions such as depression, anxiety, ADHD, and suicidality disclosed in intake questionnaires — with Meta, Google, TikTok, and other advertising platforms through tracking pixels and social media login features, violating its explicit privacy promises. The FTC also found Cerebral's subscription cancellation process was designed to make it deliberately difficult for patients to discontinue care, constituting an unfair practice. Cerebral was prohibited from using or disclosing health data for advertising.

Advocate Aurora Health agreed to pay $12.9 million to HHS OCR — the largest HIPAA settlement of 2024 — for unauthorised disclosure of the protected health information of approximately 3 million patients through tracking pixels (Meta Pixel and Google Analytics) embedded on its patient-facing websites and patient portal. The tracking technologies transmitted patient identities, appointment details, IP addresses, and proxy health information to Meta and Google without patient authorisation, constituting impermissible disclosures of PHI to advertising platforms that were not business associates under HIPAA.

Amazon was fined $25 million for COPPA violations related to Alexa, specifically for retaining children's voice recordings, transcripts, and geolocation data indefinitely in violation of its own privacy promises and COPPA's data minimisation requirements. The FTC found Amazon retained children's voice data for years even after parents requested deletion, gave employees broad access to children's voice recordings, and used children's geolocation data for product improvement without parental consent. Internal Amazon managers had raised concerns about the retention practices that were overruled by business considerations.

Ring, Amazon's home security camera subsidiary, agreed to pay $5.8 million after the FTC found it allowed employees and contractors unrestricted access to customers' private video footage — including intimate indoor cameras — and failed to implement security controls that enabled credential-stuffing attacks against thousands of customer accounts. The FTC characterised Ring's internal culture as 'anything goes' with respect to employee access to sensitive footage, including a Ukraine-based contractor allowed to view thousands of recordings without any purpose limitation or security review.

BetterHelp, an online mental health counselling platform, was fined $7.8 million for sharing customers' sensitive mental health information — including intake questionnaire responses about depression, anxiety, and therapy history — with Facebook, Snapchat, Criteo, and Pinterest for targeted advertising, directly contradicting explicit privacy promises that mental health data would never be used for advertising. The FTC found BetterHelp uploaded therapy users' email addresses and Facebook IDs to create Custom Audiences and Lookalike Audiences for new customer acquisition. The $7.8M settlement was used to provide refunds to affected consumers.

GoodRx was subject to the FTC's first-ever enforcement action under the Health Breach Notification Rule for sharing customers' sensitive personal health information — including prescription drug purchases and associated medical conditions — with Facebook, Google, Criteo, and other advertising platforms for targeted advertising, without users' knowledge or consent. The FTC found GoodRx failed to honour its privacy policy commitment not to share health information with advertisers and violated its promise to limit data use to healthcare purposes. GoodRx also failed to notify affected users of the disclosures as required.

Epic Games was fined $275 million for COPPA violations in Fortnite — including collecting personal information from children under 13 without verifiable parental consent, enabling live voice communications between children and adults by default, and creating accounts for children without parental authorisation. A simultaneous $245 million dark patterns settlement (total $520M) addressed charges that Epic used manipulative button configurations and accidental charge mechanisms to cause players to make unintended in-game purchases. The combined $520 million settlement was the largest FTC enforcement action in gaming history.

Twitter was fined $150 million for violating a 2011 FTC consent order by using phone numbers and email addresses that users had provided for two-factor authentication security purposes to deliver targeted advertising through its Tailored Audiences programme between 2014 and 2019. The FTC found Twitter had explicitly told users the data was collected solely for account security while simultaneously monetising it for advertising targeting. The settlement also required a comprehensive privacy and information security programme with independent biennial audits.

Premera Blue Cross agreed to pay $6.85 million to HHS OCR following a 2014 cyberattack that exposed the protected health information of 10.4 million individuals, including clinical and financial information. HHS OCR found systemic HIPAA non-compliance including failure to conduct an accurate and thorough risk analysis and failure to implement information system activity review — critically, a third-party security audit had identified the vulnerabilities later exploited by attackers several months before the breach occurred, but remediation was not completed in time.

The FTC and New York Attorney General imposed a combined $170 million penalty ($136M FTC + $34M NY AG) against Google and YouTube for violating COPPA by collecting persistent identifiers — used for targeted advertising — from viewers of child-directed content on YouTube without verifiable parental consent. Google had classified YouTube channels as child-directed yet systematically collected data from those channels' audiences and used it to serve behavioural advertising. This was the largest COPPA penalty in US history at the time.

The FTC imposed a record $5 billion civil penalty against Facebook for multiple violations of a 2012 consent order requiring affirmative user consent before sharing data with third parties, most visibly through the Cambridge Analytica scandal in which data from approximately 87 million users was harvested without consent. The FTC found Facebook made repeated misrepresentations about user privacy and the effectiveness of its privacy controls. The order imposed far-reaching structural requirements including creation of an independent privacy committee of Facebook's board and personal quarterly privacy certifications from CEO Mark Zuckerberg.

Anthem Inc. agreed to pay $16 million — the largest HIPAA settlement in history at the time — following a 2015 cyberattack that compromised the electronic protected health information of approximately 78.8 million individuals, the largest healthcare data breach in US history. HHS OCR found Anthem failed to conduct an enterprise-wide HIPAA security risk analysis, failed to implement appropriate information system activity review, and had insufficient technical controls to identify and respond to suspicious network activity prior to the breach. The settlement also required a comprehensive corrective action plan monitored for two years.